There’s  no  time  to  lose.  Renew 
by  4/30/08  to  receive  another 
complimentary  year  of  CSO 
magazine. 


Take  a  few  minutes  right  now,  and  renew  online  at: 


http://csoonline.com/renew/r38 

Renew  today  and  you  can  avoid  receiving  more  of 
these  renewal  requests  and  be  certain  that  your 
subscription  to  CSO  will  continue  uninterrupted. 


Rules  of 
Evidence 

Evaluating 
digital  |i 
forensics  \i 
tools  PAGE  14 


Rap  Sheet 

The  case  of 
the  paroled 
security 
officer  PAGE 32 


strengthens 
rour  defense 

y  Robin  Mejia 


April  2008  $9.00  www.csoonline.com 


Certified  Information  Systems  Auditor’" 


Exam  Registration:  24  September  2008 
Exam  Date:  1 3  December  2008 


CERTIFIED  INFORMATION 
SECURITY  MANAGER* 


www.isaca.  org/csomag 


April  2008  Vol.  7,  No.  3 


Features... 

18  Red  Team, 

Blue  Team 

Cover  Story  |  Infosec 

Playing  the  role  of  an  attacker  can 
make  your  team  better  at  defense. 
Here’s  how  to  run  an  effective 
simulation.  By  Robin  Mejia 

22  SEOwN3d!!l 

SEO,  Part  2  As  search  engine 
optimizers  played  fast  and  loose, 
a  reaction  from  the  search  engine 
companies  became  inevitable.  Now 
SEOs  are  forced  to  choose  hats: 
black  or  white.  By  Scott  Berinato 

28  The  Hidden  Risks 
of  TMI 

Risk  Analysis  Lead  paint  in  toys. 
Brain-eating  amoeba.  Identity  theft. 
We  know  more  than  ever  about  the 
risks  all  around  us.  Do  we  know  what 
too  much  information  is  doing  to  us? 
By  Scott  Berinato 


Also  Inside... 


2  From  the  Editor 
4  From  the  Publisher 

6  Join  the  Discussion 

CSOonline  readers  debate 
application  security  and 
dishonesty  in  IT. 

9  Briefing 

■  A  DIY  risk  matrix 

■  All  about  whaling 

■  Are  anonymizers 
anonymous? 

■  Malware’s  greatest  hits 

■  PayPal-approved  Web 
browsers 

■  The  ultimate  sick-day 
tracker 

■  Q&A  with  Northrop 
Grumman’sCISO 

14  Toolbox 

Rules  of  Evidence  How 

to  investigate  and  use 
digital  forensics  tools. 
ByMaryBrandei 


32  How  Not  to  Hire  an 
Information  Security 
Officer  Who’s  on  Parole 
Undercover  After  learning 
that  HR  “forgot”  to  do  a 
background  check  on  a 
security  staffer  with  a  felony 
record,  a  leader  reexamines 
his  organization’s  policies. 

34  The  Better 
Background? 

Industry  View  What’s  the 
better  experience  base  to  lead 
a  converged  organization- 
information  security  or 
physical  security?  A  recruiter 
gives  his  observations. 

ByJeff  Snyder 

36  Debriefing 

Root  Meaning 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.0.  Box  9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA01701,  and  at  additional  mailingoffices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverablecopytoP.O.  Boxl632,  Windsor,  ON  N9A7C9.Copyright2008  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permissionto  photocopy  forinternal  or  personal  useorthe  internal  or  personal  use  of  specificclients  is  granted 
by  CSOforusersthrough  the  Copyright  Clearance  Center,  provided  thatafee  of  $3.50  per  copy  ofthe  artideis  paid  directly  toCopyrightClearanceCenter,222  Rosewood  Drive,  Danvers,  MA  01970.  www.copYrigM.com.  Please  specify: 
ISSN  1540-904X.  Permission  to  photocopy  does  not  extend  to  contributed  articles— followed  by  this  symbol:  |.  Address  inquiries  to  CSO,  P.0.  Box  3482,  Northbrook,  IL  60065;  866  354-1125.  CSO  is  freeto  qualified  security  executives. 
Toall  others  the  one-year  basic  rate  is  $70forthe  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.fundsonly).  The  single  copy  price  is  $9to  the  U.S.  and  Canadaand  $15  International.  Please  allow  fourtosix  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO.  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  illustration  by  John  MacDonald 


April  2008  www.csoonline.com  1 


[  FROM  THE  EDITOR] 


The  Soft  Part  Is 
the  Hard  Part, 
and  Vice  Versa 

Some  of  your  employees  don’t  under¬ 
stand  what  you  do  all  day.  Some  of 
your  vendors  don’t  either.  It’s  human 
nature-everyone  tends  to  look  at  the 
world  through  the  periscope  of  his  or  her  own 
duties  and  challenges. 

An  offhand  comment  at  lunch  from  an 
attendee  at  the  CSO  Perspectives  confer¬ 
ence  brought  this  home  to  me  again.  At  the 
conference,  we  hit  a  wide  variety  of  topics. 
Some  “soft”  stuff:  how  to  communicate  with 
the  board,  how  to  write  a  strategic  plan,  how 
to  build  employee  awareness.  Some  “hard" 
stuff:  botnets,  data  loss  prevention,  virtualiza¬ 
tion.  The  lunchtime  comment  was  somewhat 
dismissive  of  the  soft  stuff-the  “fluff”  that 
executives  seem  to  talk  about  so  much.  People 
with  less  seniority  in  an  organization  tend  to 
have  very  concrete  responsibilities,  for  lack  of 
a  better  word.  Vendors  tend  to  look  at  you  as 
“the  guys  who  buy  our  stuff,”  without  a  great 
deal  of  regard  for  what  your  other  issues  might 
be.  Metrics,  strategic  planning  and  particularly 
communication  issues  are  off  their  radar. 

These  differences  in  duties  lead  to  discon¬ 
nects.  A  guy  in  the  trenches  dismisses  your 
interest  in  fluff  and  wonders  why  you  waste  so 
much  time  in  meetings.  Conversely,  a  woman 
on  mahogany  row  refers  to  “the  rank  and  file” 
and  sometimes  even  uses  the  unfortunate 
and  unprofessional  phrase  “dumb  it  down”  in 
reference  to  communicating  with  the  general 
populace. 

All  of  these  disconnects  war  against  enter¬ 
prise  security. 

In  a  large  organization,  you  can’t  solve  the 


hard  problems  without  applying  the  soft  skills. 
You  can’t  have  great  security  without  executive 
and  employee  buy-in.  The  person  who  watches 
the  BugTraq  list  and  the  one  who  builds  a 
strategic  plan  are  both  necessary.  Throughout 
CSO’ s  history,  we’ve  emphasized  the  need  to 
solder  connections  between  physical  security 
and  cybersecurity;  that’s  one  gap  that,  happily, 
continues  to  shrink.  The  two  groups  no  longer 
sit  at  different  tables  during  our  conferences. 

As  always,  I  was  impressed  with  the  new 
folks  (and  familiar  faces)  I  met  at  CSO  Perspec¬ 
tives.  Great  networkers  with  lots  of  ideas  on 
how  to  connect  the  dots,  mesh  audiences,  and 
share  best  practices  without  jeopardizing 
confidentiality. 

Here’s  to  the  bridge  builders. 

-Derek  Slater,  dslater@icxo.com 


Editor  in  Chief  Derek  Slater 
Managing  Editor  Sarah  D.  Scalet 
Asst.  Managing  Editor  Diann  Daniel 
Staff  Writer  Katherine  Walsh 
Copy  Editor  Susan  Bryant-Still 
Associate  Copy  Editor 
Kristin  Burnham 

Editorial  Assistant  Jarina  D'Auria 
Editorial  Administrator 
Jill  Paquette 
Contributors 

Mary  Brandel,  Rick  Cook,  Fred 
Hapgood,  Robert  McMillan, 

Robin  Mejia,  Jeff  Snyder 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 
Senior  Research  Analyst 

Seanna  Maguire 

CXO  MEDIA/IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

TECHNICAL  ADVISORY  BOARD 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

CXOVMEDIA  INC. 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO 

Bob  Carrigan 


#BPA 


WORLDWIDE- 


2  www.csoonline.com  April  2008 


Photo  by  Webb  Chappell 


GO 

BIGFIX 

SYSTEMS  MANAGEMENT  IN 


BIGFIX  actually  lets  you  see.  We  offer 
the  IT  industry’s  only  converged  security 
&  operations  platform  that  enables 
real-time  visibility  and  control  of  globally 
distributed  desktop,  mobile  and  server 
infrastructures.  Are  you  using  LANDesk, 
McAfee,  Microsoft  or  Symantec?  Relax. 
You  won’t  have  to  unplug  a  thing.  We  just 
give  you — here’s  a  novel  idea — eyes. 


I 


l 


A  VERY  DANGEROUS  WORLD 

For  IT  pros  who  want  to  instantly  turn 
on  the  lights,  call  510-652-6700  xl  16  or 
visit  www.bigfix.com/geteyes.  We’ll  give 
you  unprecedented  visibility.  At  your  site. 

Any  time.  And  we’re  betting  you  won’t  let 
us  pull  the  plug  after  our  30-day 
tour  de  force.  Because  you  wouldn’t 
willingly  stumble  around  in  the  dark, 
waiting  for  nocturnal  predators. 


Visibility  Factors 

BIGFIXI 

LANDesk 

McAfee 

Microsoft 

Symantec 

Pervasive  Asset  Discovery 

Yes  J| 

Blind 

Blind 

Blind 

Blind 

Mobile  Computer  Management/Security 

Yes 

Blind 

Blind 

Blind 

What’s  that? 

Task  Verification  Speed 

Real  Time 

Weeks 

Weeks 

Forever 

Weeks 

All  Popular  Endpoint  OSs  Supported 

Yes  Jjj 

Blind 

Blind 

Huh? 

Blind 

Number  of  Administrators  Required 

1  li 

Dozens 

Dozens 

Dozens 

Dozens 

Number  of  Servers  Needed 

1  ' 1 

Acres 

Acres 

Acres 

Acres 

Number  of  Agents/Consoles/Toolsets 

1  1 

Lots 

Lots 

Lots 

Lots 

Time  to  Implement 

1  Day  H 

Months 

Months 

Months 

Months 

Total  Cost  of  Ownership 

Lowest 

Your  Job 

YourMarriage 

Your  Sanity 

Your  Career 

o 


•  J  BIGFIX’ 

We  mean  business 

©2007  BIGFIX.  BIGFIX  and  its  logo  are  registered  trademarks  of  BIGFIX,  Inc.  All  other  trademarks  arl 


Hear  everybody  shout  “Hallelujah,  I  can  see!” 
at  the  2008  RSA  Conference  •  April  7th  -11th 
San  Francisco  •  Moscone  Center  •  Booth  523 


rely  and  respectfully  acknowledged. 


[  FROM  THE  PUBLISHER  ] 


Connecting 

Dots 

As  publisher  of  CSO I  have  the  great  honor 
of  meeting  a  great  many  very  smart 
people.  This  is  a  good  thing  because  it 
certainly  helps  compensate  for  my  gaps 
in  knowledge.  This  past  month  has  been  an 
exceptional  one  in  particular. 

During  March  I  had  the  good  fortune  to 
spend  some  time  at  one  of  our  annual  events, 
the  2008  CSO  Perspectives  conference,  and  was 
again  amazed  by  the  depth  of  knowledge,  expe¬ 
rience  and  insight  that  is  displayed  by  those  in 
the  security  profession.  This  year’s  conference 
was  themed  “Becoming  the  Complete  CSO.” 
From  those  of  you  who  attended  and  whom  I 
had  a  chance  to  speak  with,  there  was  universal 
praise.  Not  just  for  the  content  and  speakers 
(which  were  great)  but  also  for  the  recognition 
that  CSOs  are  rising  to  ever-greater  heights 
within  their  organizations  and  that  sometimes, 
at  those  elevations,  an  individual’s  focus  must 
shift  from  tactical  to  strategic. 

The  week  prior  to  CSO  Perspectives  I 
was  at  my  good  friend  Robert  Rodriguez’s 
IT  Security  Entrepreneurs’  Forum  (ITSEF)  at 
Stanford  University.  Funded  by  the  Depart¬ 
ment  of  Homeland  Security  and  the  Kauffman 
Foundation,  the  ITSEF  focuses  on  bringing 
together  early-stage  security  businesses,  the 
federal  government  and  the  venture  capital 
community  to  make  sure  that  important  tech¬ 
nologies  that  address  critical  security  issues 
don’t  fall  by  the  wayside  before  they  can  be 
fully  commercialized.  In  this  fast-growing  but 
increasingly  consolidating  industry,  the  danger 
of  critical-technology  obscurity  should  be  of 
concern  to  all  security  professionals.  As  with 
CSO  Perspectives,  this  was  another  occasion 
for  me  to  rub  elbows  with  some  very  smart 
people  in  this  business  and  to  learn  from  them. 

So  what  did  l  learn  this  month?  First,  that 
security  is  the  responsibility  of  everybody- 
from  the  janitor  to  the  CEO.  Without  a  culture 
of  security,  an  organization  will  always  be  vul¬ 


nerable.  Second,  that  security  is  not  just  about 
the  technology.  CSOs  walk  a  fine  line  between 
security  and  business  and  must  constantly 
strike  a  balance  between  the  two.  CSOs  must 
understand  the  issues  of  both  sides  and  act  as 
a  liaison  between  the  folks  from  the  business 
side  and  those  from  the  security  side-both  are 
critical  to  selling  the  value  of  security.  Finally, 
despite  what  you  may  hear,  there  are  a  lot  of 
CSOs  doing  the  first  two  very,  very  well.  My 
advice  to  those  CSOs  who  struggle  with  the 
balance  of  tactical  and  strategic  responsibili¬ 
ties?  To  those  who  find  it  difficult  to  integrate 
security  and  business  objectives?  To  those 
who  struggle  to  sell  the  value  of  security  in 
their  organizations?  Find  your  peers  and  learn 
from  them.  CSOs  are  the  most  willing  group  of 
professionals  I  have  ever  had  the  pleasure  to 


work  with  when  it  comes  to  helping  their  peers 
and  advancing  their  profession.  Read  CSO  and 
visit  CSOonline.com.  Meet  your  peers  at  con¬ 
ferences,  dinners  and  industry  organizations, 
or  just  call  the  CSO  down  the  street  and  grab 
coffee.  You  may  be  amazed  what  you’ll  learn 
and  the  value  of  what  you  can  share. 

How  do  you  share  information  with  your 
peers?  E-mail  what  you  do  and  how  it's  work- 
ing-l  look  forward  to  hearing. 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 


BigFix  Inc . 3 

CXO  Media  Inc . 8,27,35 


Deloitte  Development  LLC _ C3 


Gardaworld . 5 

HID  Corp . 15 


I  SAC  A . C2 

RSA  Security  Inc . C4 


President  and  CEO 
Michael  Friedenberg 
Publisher  Bob  Bragdon 
Senior  Ad  Sales  Associate 
Christine  McKay 
East  Coast  Regional  Manager 
Roz  Burke 

Regional  Sales  Manager  Matt  Knuth 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 

Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Online  Regional  Sales  Manager, 
Midwest  Sarah  Gaskin 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 
Jennifer  Malkasian,  Valerie  Sumner 
Online  Advertising  Specialist 
Barbara  Sullivan 
Online  Sales  Associate 
Erin  Sullivan 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Matt  Avery 
National  Sales  Director 

Adam  Dennison 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 

Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs 
Ellen  Daly 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 

Deb  Begreen 

Editorial  Director  Maryfran  Johnson 
National  Sales  Manager 
Per  Melker 
Event  Planners 
Kevin  Corrigan,  Sarah  Reagan 
Event  Planner/Client  Relations 
Laura  Biringer 

Registration  Specialist  Cress  O'Brien 
Marketing  Specialist  Kristin  Gallo 
Client  Services  Specialist  Erica  Foster 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcaponeiSidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  150, 
csoStheygsgroup.com 


4  www.csoonline.com  April  2008 


Photo  by  Christopher  Navin 


Vance  Investigative  and  Global  Risks  Services 

are  now  GardaWorld  -  A  new  name  for  the  experts  you  know  and  trust 


For  decades,  Fortune  500  corporations,  law  firms,  financial 
institutions  and  government  agencies  around  the  world  have  trusted 
Vance  to  provide  turnkey  risk  management  and  investigative 
services  to  protect  their  people  and  assets.  GardaWorld 
Consulting  &  Investigation  I  Global  Risks  Group’s  unique 
approach  to  security  and  intelligence  services  helps  clients  focus 
on  strategic  business  objectives  within  a  clearly  defined  operational 
and  intelligence-led  security  framework. 

Combining  the  global  expertise  of  its  professionals  and  local 
knowledge  from  networks  of  high-ranking  government,  police, 
military  and  business  contacts  in-country,  GardaWorld  applies 
a  discreet  approach  for  market-entry  strategies,  ongoing 
security  plans  and  investigative  cases.  In  fact,  only  our  name  has 
changed. 


Contact  our  global  experts  at  800.533.6754  or 
information@garda-world.com.  garda-world.com 


The  same  experts— from  the  company’s  seasoned  management 
team  to  its  experienced  former  federal  and  local  law  enforcement 
investigators,  prosecuting  and  defense  attorneys,  forensic 
accountants,  certified  fraud  examiners,  digital  forensic  experts, 
risk  profilers  and  auditors — provide  with  extensive  experience  in 
both  established  and  emerging  markets,  jurisdictions  and  courts 
throughout  the  world  with  a  total  commitment  to  high  quality 
standards.  Under  the  GardaWorld  name,  Vance  experts 
continue  to  work  diligently  to  understand  client  goals  and  objectives 
before  creating  a  comprehensive  security  framework  to  support 
and  enable  the  execution  required  for  achieving  those  goals. 


FORMERLY  VANCt 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonhne.com. 


BLOG  POST 


PCI:  I've  Got  My 
Cranky  Pants 
On  Again 

Excerpts  from  Ed  Adams’s  rant 
on  application  security 

This  week’s  disclosure  of  the 
Hannaford  data  breach  got 
me  to  thinking  about  PCI  and 
application  security.  And  it  gets 
me  pretty  cranky  when  I  look  at 
the  PCI  Data  Security  Standard  (DSS)  and 
realize  how  far  we  haven’t  come  with  respect 
to  AppSec  in  that  set  of  requirements  and 
audit  procedures. 

The  PCI  DSS  is  one  of  the  more  prescrip¬ 
tive  and  comprehensive  industry  standards 
aimed  at  protecting  consumer  credit  card 
and  personal  identity  information— and  I 
have  praised  it  on  many  occasions  in  this 
blog  and  in  other  public  venues;  however, 
that  does  not  mean  it  is  an  effective  or  prac¬ 
tical  standard  yet.  In  fact,  it  still  has  a  very 
long  way  to  go  before  its  intention  meets  its 


implementation.  The  PCI 
Security  Standards  Coun¬ 
cil  is  made  up  of  seemingly 
smart  folks  from  the  credit 
card  brands  and  security 
industry;  unfortunately, 
this  group  is  saddled  with 
competitive  conflicts  of 
interest,  inherited  and 
inconsistent  requirements 
from  legacy  data  protec¬ 
tion  programs,  and,  worst 
of  all,  a  complete  lack  of  understanding  on 
how  to  best  protect  card  data  and  consumer 
identity. 

PCI  DSS  does  an  adequate  job  of  defin¬ 
ing  audit  procedures  around  policy,  net¬ 
work  segmentation,  access  controls  and 
perimeter  defenses  such  as  firewalls; 
however,  it  is  still  woefully  inadequate  in 
addressing  the  biggest  risk  to  cardholder 
data— the  application  layer.  Sure,  there  are 
some  new  requirements  that  take  effect 
in  June  2008  for  Web-facing  applications, 
but  those  new  requirements  were  rushed 
into  the  standard  and  obviously  not  well 
thought  out.  For  example,  all  Web-facing 
applications  must  either  undergo  a  code 
review  from  an  organization  that  special¬ 
izes  in  application  security  or  have  a  Web 
application  firewall  installed  in  front  of  it. 
What?  Any  half-witted  application  security 
consultant  will  tell  you  that  the  two  are  not 
mutually  replaceable  solutions.... 

Aberdeen  Group  published  a  study  in 
mid-2007  that  stated,  “70%  of  companies 
today  are  not  applying  secure  application 
development  techniques  in  their  software 
development  practices.”  Seventy  percent! 
Are  you  kidding  me?  Couple  that  with  the 
fact  that  anywhere  from  75  percent  to  92 
percent  of  all  security  vulnerabilities  exist 


in  the  application  layer  and  not  the  network 
or  system  layer  (according  to  Gartner  and 
National  Institute  of  Standards  and  Tech¬ 
nology)  and  we  have  a  powder  keg  waiting 
to  blow. 

Organizations  that  accept  and  process 
credit  card  transactions  (merchants,  banks 
and  so  on)  have  the  most  critical  data 
exposed  in  the  most  vulnerable  location— 
because  applications  have  to  access  data  in 
non-encrypted  formats— so  you  can  forget 
about  the  protections  provided  by  database 
or  on-the-wire  encryption. 

The  long-awaited  update  to  PCI’s  PA- 
DSS  (Payment  Application  Data  Security 
Standard)  is  due  out  in  2008. 1  can’t  wait  to 
see  how  this  is  handled  by  the  PCI  Security 
Council  and  which  companies  they  will 
“certify”  as  able  to  conduct  application-layer 
audits.  If  it’s  anything  like  the  current  QSA 
(Qualified  Security  Assessor)  and  ASV 
(Authorized  Scanning  Vendor)  programs, 
it  will  be  a  mess. 

Wake  up  people!  Wake  up  PCI  Security 
Council!  There’s  an  epidemic  happening 
and  it’s  called  application  security.  You  want 
to  protect  your  data?  Look  at  your  applica¬ 
tions  and  be  afraid.  Be  very,  very  afraid. 

BLOG  POST 

Dishonesty  in  IT 

Chad  McDonald  says  the  truth 
should  prevail  (more  often) 


ou’ve  done  it.  I’ve  done  it.  I’m 
sure  we’ve  all  done  it  at  some 
point,  but  why?  I’m  not  talking 
about  drugs  or  smoking.  I’m 
talking  about  misrepresenting 


6  www.csoonline.com  April  2008 


Photos  by  AP/Wide  World  Photos 


the  truth.  I  contend  that  IT  as  an  industry 
has  accepted  dishonesty  and  disinforma¬ 
tion  as  standard  practice. 

Let  me  give  you  an  analogy  of  this  situa¬ 
tion.  My  Toyota  is  having  mechanical  prob¬ 
lems:  When  I  press  the  brake  pedal,  the  car 
takes  a  long  time  to  stop.  I  take  my  car  to 
the  dealership’s  mechanic.  The  mechanic 
agrees  that  when  I  press  the  brake  pedal 
my  car  should  stop.  After  weeks  of  working 
on  my  car,  the  mechanic  phones  me  that  the 
repairs  are  complete.  I  get  to  the  dealership 
and  the  mechanic  hands  me  a  cheeseburger. 
Confused,  I  ask  why  I  am  now  holding  a 
cheeseburger. 

“Well,  you  wanted  your  car  to  stop  when 
you  press  the  brake  pedal.” 

More  confused,  I  reply,  “Yes,  but  why 
the  cheeseburger?” 

“Exactly,”  says  the  mechanic. 

Now  I’m  just  pissed  off,  “...Exactly  what? 


MORE  ON  THE  WEB 

Communication 
will  be  key  “if  the 
pandemic  plan  is  to 
close  schools  before 

lperceiit  of 
the  population 
becomes 
infected.” 

-Dr.  Joan  Pfinsgraff,  director  of 
health  intelligence  atiJet 
http://www2.csoonline 
.com/exclusives/column 
.html?CID=33615 


Do  my  brakes  work?” 

“You  were  a  quart  low  on  cheeseburger. 
Hold  this  and  everything  will  be  fine,”  says 
the  mechanic. 

That  analogy  serves  to  illustrate  an 
alarming  truth:  Instead  of  a)  fixing  the 
problem,  b)  defining  why  it  can’t  be  fixed, 
or  c)  admitting  that  they  don’t  know  how  to 
fix  it,  an  increasing  number  of  people  sim¬ 
ply  lie,  “amplify  the  truth”— or  create  diver¬ 
sions  to  distract  you  from  those  nontruths. 

A  good  deal  of  what  Microsoft  says  can 
fall  into  these  categories.  Take,  for  instance, 
the  assertion  by  Microsoft  that  Vista  is 
more  secure  than  Linux  or  OS  X.  Common 
knowledge  (and  common  sense)  tell  us  that 
this  isn’t  the  case,  but  instead  of  owning  up 
to  the  shortcomings,  the  truth  gets  spun 
into  some  marketing  hype  that  running 
Vista  will  make  you  taller,  more  attractive, 
and  cure  you  of  the  common  cold.  I  do 
understand  why  big  companies  like  Micro¬ 
soft  fall  into  this  trap,  they  have  to  so  that 
they  can  convince  us  to  buy  their  products. 
I  imagine  that  there  would  be  an  audible 
thud  on  Wall  Street  if  Microsoft  started  a 
new  ad  campaign,  “Our  products  suck,  but 
we  have  market  share.  Buy  Microsoft  or  you 
will  be  consumed!” 

On  the  smaller  scale,  though,  is  there 
really  a  huge  disincentive  for  your  average 
system  administrator  or  CIO  to  own  up  to 
the  truth?  In  a  government  agency  or  pri¬ 
vately  held  organization,  how  much  fallout 
could  there  be?  I  suppose  in  some  respects 
that  the  damage  done  by  admitting  a  mis¬ 
take  could  be  troublesome,  but  when  you 
abuse  the  truth,  aren’t  you  putting  your 
relationship  with  your  constituents  at  risk? 
We  have  entered  a  new  age  in  which  most 
of  our  clients  are  tech- savvy  enough  to  be 
able  to  accept  the  truth  for  any  IT-based 
issue  without  us  spoon-feeding  them  a 
pabulum  of  falsehoods  and  misinforma¬ 
tion.  Smoke  and  mirrors  IT  is  a  detriment 
to  the  field  and  in  my  un-humble  opinion, 
if  you  can’t  be  leader  enough  to  communi¬ 
cate  truthfully  with  your  clients  then  you 
should  consider  a  career  change— perhaps 
as  an  auto  mechanic.  Realistically,  if  you 
explain  to  your  clients  that  you  forgot  to 
place  a  semicolon  correctly  in  the  200,000 
lines  of  code,  isn’t  that  better  than  saying 
there  isn’t  a  solution  or  that  the  company 
will  need  to  buy  everyone  a  new  computer 
to  meet  the  increased  computing  demands 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.csoonline.com. 

Derek  Slater,  Editor  in  Chief 

dslater@cxo.com 

508  935-4213 

Sarah  D.  Scalet,  Managing  Editor 

sscalet@cxo.com 

973  338-0059 

Katherine  Walsh,  Staff  Writer 

kwalsh@cxo.com 

508  988-6939 

Subscriber  Services 

Phone:866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800  290-5460,  ext.  150, 
cso@theygsgroup.com 


of  the  new  version  of  Notepad.  How  about 
saying,  “Despite  our  months  of  testing  this 
complex  software,  we  missed  an  important 
coding  element  that  resulted  in  the  problem 
that  you  see  now.  We  have  a  fix  that  is  being 
tested  now  and  will  be  distributing  that 
as  soon  as  we  have  further  validated  our 
coding.”  The  nonsense  I  hear  served  up  as 
explanations  for  problems  is  truly  astound¬ 
ing.  As  IT  becomes  increasingly  commod¬ 
itized,  the  relationship  between  the  IT  shop 
and  the  core  business  clients  will  be  a  major 
factor  in  whether  or  not  the  business  relies 
on  your  IT  shop  for  its  services.  How  many 
times  would  you  expect  me  to  take  my  Toy¬ 
ota  to  the  burger -flipping  mechanic  when 
there  is  another  wrench-toting  mechanic 
across  the  street?  If  your  IT  shop  isn’t  will¬ 
ing  to  be  aboveboard  with  its  clients,  then 
rest  assured  that  your  clients  won’t  be  deal¬ 
ing  with  your  IT  shop  for  long. 

-  Chad  McDonald 


April  2008  www.csoonline.com  7 


BUSINESS  RISK  LEADERSHIP 


Tin  doing  my  job  if  I  am  getting  dumber.  ” 

PAGE  13 


TRENDS,  STATS  AND  FAST  FACTS 
Edited  by  Sarah  D.  Scalet 


ASSESSMENT 

PG&E  Threat 
System  Used  for 
Good  Measure 

Internally  developed 
risk  matrix  helps  utility 
company  figure  out  which 
vulnerabilities  to  focus  on  first 

Like  many  other  security  professionals, 
PG&E’s  Seth  Bromberger  gets  up  every 
morning  and  faces  a  serious  case  of 
information  overload.  Not  a  day  goes 
by  without  the  report  of  some  new  software 
bug  or  security  vulnerability.  Weekly  bug 
reports  have  jumped  from  just  a  handful  of 
issues  a  few  years  ago  to  more  than  400  in  a 
typical  week. 

But  what  to  do  with  all  this  information? 

And  how  to  decide  which  problems  need  to  be 
fixed  first?  Two  years  ago,  Bromberger,  man¬ 
ager  of  information  security  and  his  security 
team  at  PG&E,  started  developing  a  threat 
assessment  system  that  would  answer  this 
question.  It’s  inexpensive,  easy  to  maintain  and- 
most  important-it  helps  him  sleep  at  night. 

Like  most  organizations,  PG&E  had  a 
pretty  good  handle  on  vulnerabilities,  but  the 
utility  company  didn’t  really  have  a  great  way 
of  measuring  threats-evaluating  the  odds  of 
whether  anyone  was  likely  to  actually  exploit 
the  problem. 

This  is  a  common  state  of  affairs,  according 
to  Eugene  Schultz,  CTO  at  High  Tower  Software, 
a  company  in  Aliso  Viejo,  Calif.,  that  special¬ 
izes  in  security  event  management  appliances. 
“That’s  because  we  don’t  really  understand 
threats  very  well,  and  what  we  don’t  under¬ 


stand,  we  tend  to  gloss  over.” 

Bromberger  puts  it  another  way.  “There’s 
a  question  as  to  whether  there’s  any  benefit  in 
measuring  the  threat,”  he  says.  “If  you  know 
you  have  vulnerability,  do  you  really  care 
about  the  threat?” 

PG&E  decided  that  it  did,  in  part,  because 
it  had  to  develop  a  rational  way  of  prioritizing 
the  vulnerabilities.  So  Bromberger  met  with 
his  staff,  and  over  the  course  of  just  a  few  days 
they  hammered  out  a  first  draft  of  a  risk  matrix 
for  his  company.  (He  guesses  it  took  about  150 
hours  of  labor.)  First  they  identified  close  to 
40  “threat  agents.”  These  can  be  things  like 
disgruntled  employees,  nation-states,  nature 
itself  or  even  journalists.  When  a  vulnerability 
is  identified,  PG&E  looks  through  this  matrix 
and  determines  which  of  these  agents  have 
the  capability  of  exploiting  the  issue. 


Here’s  how  the  matrix  works:  Bromberg- 
er’s  team  rates  the  capabilities  of  every  threat 
agent,  giving  each  one  a  score  between  0 
and  5.  A  nation-state  would  have  a  “finan¬ 
cial"  capability  of  5,  but  a  “PG&E  institutional 
knowledge”  capability  of,  say,  a  1  or  a  2.  Then 
when  vulnerabilities  crop  up,  the  team  decides 
what  kind  of  capabilities  are  needed  to  exploit 
them,  using  the  same  scale.  If  a  known  threat 
agent  has  the  capability  to  exploit  a  known 
vulnerability,  it  gets  priority  treatment. 

The  best  thing  about  the  system  is  that 
even  if  it  misjudges  a  threat,  the  security  team 
can  adjust  the  matrix.  “Even  if  the  methodol¬ 
ogy  were  flawed,  we’d  be  able  to  reproduce  it,” 
Bromberger  says.  “I  wouldn’t  have  to  stand  in 
front  of  management  and  say,  ‘We  felt  that  or 
we  thought  this....’  It  is  unambiguous.” 

-Robert  McMillan 


Photos  by  iStockPhoto.com 


April  2008  www.csoonline.com  9 


>>  BRIEFING 


ALL  ABOUT  WHALING 


Supertargeted  phishing 
attacks  move  from  theory  to 
practice,  researchers  say 

For  the  last  couple  of  years,  security 
researchers  have  been  sounding 
warnings  that  phishers  could  turn  their 
attention  to  superpersonalized  attacks 
targeted  at  high-level  corporate  employ- 
ees-so-called  whaling  attacks.  Now,  however, 
there’s  growing  evidence  that  this  type  of 
attack  is  moving  from  theory  to  practice.  The 
reason?  The  bad  guys  are  getting  better  access 
to  the  information  they  need  to  bait  these  e- 
mails-both  because  they  are  getting  better  at 
mining  databases  on  compromised  corporate 
sites  and  because  employees  are  providing 
more  useful  information  at  networking  sites 
such  as  Linkedln  and  MySpace. 

Once  launched,  the  results  of  a  whaling 
attack  can  be  devastating.  “It’s  really  effective,” 
says  Joe  Stewart,  senior  security  researcher 
for  SecureWorks,  a  managed  security  service 
provider  based  in  Atlanta.  “They’re  hitting  the 
high-level  executives  and  getting  access  to 
these  people’s  entire  workstations.” 

Like  all  “spearphishing”  or  targeted 
phishing  attacks,  whaling  involves  personal 
information,  but  in  this  case  the  targets  are 
high-level,  high-value  individuals  whose 
credentials,  if  compromised,  can  endanger  an 
entire  organization.  The  targets  are  carefully 
chosen,  and  the  number  of  e-mails  distributed 
is  small.  Where  a  massive  phishing  attack 
might  involve  billions  of  e-mails  sent  from 
botnets  with  a  million  zombies,  whaling  usu¬ 
ally  involves  anywhere  from  a  few 
dozen  to  a  few  thousand  e-mails, 
which  are  sent  from  a  botnet 


with  perhaps  20,000  compromised  computers,  feature. 


Conventional  methods  for  identifying  phishing 
attacks  depend  on  spotting  a  lot  of  identi¬ 
cal  messages,  so  the  small  scale  of  whaling 
attacks  makes  them  essentially  invisible  to 
Internet  scanners. 

“What  allows  them  to  fly  under  the  radar 
is  that  they  are  so  targeted,”  says  Alan  Paller, 
director  of  research  at  the  SANS  Institute.  “If 
you  only  go  after  20  companies,  or  200 
companies,  nothing  will  pick  up 
the  attack.” 


Techniques 

Because  the  targets  have  such 
high  value,  whalers  can  afford 
to  go  to  very  elaborate  lengths  to 
make  their  e-mails  appear  legitimate.  To  get 
details  about  their  targets,  the  perpetrators 
might  use  databases  at  the  victims’  compa¬ 
nies  or  companies  they  do  business  with,  or 
conduct  multistep  phishing  attacks.  A  whaling 
e-mail  may  even  include  a  working  telephone 
number-typically,  for  a  voice-over-IP  (VoIP) 
connection,  which  is  hard  to  trace  and  easy 
to  take  down.  Often,  a  recording  at  the  other 
end  of  the  line  will  ask  the  victim  for  more 
information. 

Another  technique,  Paller  says,  is  to 
have  the  compromised  machine  that  sent 
the  whaling  e-mail  automatically  respond  to 
replies  with  a  message  assuring  victims  that 
the  attachment  is  safe  to  open.  “They’ll  say 
something  like,  ‘Absolutely.  You’ll  love  it,”’  he 
says.  Attacks  also  may  take  the  form  of  fake 
messages  from  a  business  partner  about  a 

em  with  our  last  order,”  or  a  request 


“These  guys  have  shifted  from  telling  to  you 
do  something  [in  general]  to  telling  you  to  do 
something  that  is  so  close  to  what  you  do  for  a 
living  that  you  can’t  afford  not  to  do  it,"  Paller 
says.  “They’re  weaving  the  attack  into  your  job 
so  tightly,  they  don’t  allow  you  to  say  no.” 

This  is  all  the  more  effective  because  non-IT 
..  executives  are  usually  less  security-conscious 
than  other  high-value  targets  such  as  net- 
work  administrators.  Also,  the 
purpose  of  the  whaling  e-mail 
is  usually  not  to  collect  personal 
information  directly,  but  to  plant 
malware  such  as  keyloggers. 
Because  the  e-mail  doesn’t  ask  for 
personal  information  such  as  credit 
card  numbers,  the  victims  are  likely  to  feel  the 
e-mail  is  innocuous. 

“The  best  advice  I  can  give  people  is  even 
if  you  get  attachment  from  someone  you 
know,  mail  them  back  and  ask  what  they’re 
sending,”  Stewart  says.  “You’ve  really  got  to 
be  suspicious  of  these  types  of  messages  that 
seem  to  come  from  an  authority  figure.  In  that 
sense,  we  have  an  easier  job  in  user  education. 
It  comes  to  the  security  team  having  a  meeting 
of  the  executive  team  [and  saying,]  Be  suspi¬ 
cious  of  anything  you  get.  Run  it  by  us.” 

Paller,  however,  warns  that  “education” 
in  the  form  of  seminars  and  lectures  doesn’t 
work  well.  Instead,  he  suggests  a  process  he 
calls  “inoculation,”  which  involves  repeat¬ 
edly  sending  out  fake  whaling-type  messages. 
“When  [the  user  bites],  [he  or  she]  gets  a  mes¬ 
sage  saying,  ‘Oops,  you’ve  just  been  had.’  You 
do  that  over  and  over  again  until  people  learn.” 

-Rick  Cook 


io  www.csoonline.com  April  2008 


Illustrations  by  Belie  Mellor 


WEB  MONITORING 


MALWARE 


Anonymizers  vs. 
Anti-Anonymizers 

In  the  struggle  to  provide  a  sure  way 
to  surf  the  Internet  anonymously, 
will  anyone  ever  win? 

In  the  mid-1990s  a  device  appeared  called  the  anonymizer. 
As  the  name  suggests,  this  service  allowed  you  to  request 
files  without  disclosing  your  IP  address.  You  would  send 
the  request  to  the  anonymizer  with  the  desired  To:  address 
tucked  away  on  another  field;  it  would  strip  out  your  address 
from  the  Reply  field,  replace  it  with  its  own,  swap  in  the  address 
of  the  destination  server  and  send  the  request  on.  When  the 
requested  file  was  received,  it  would  reverse  the  actions  and 
(in  theory)  erase  all  evidence  of  the  transaction,  keeping  your 
IP  address  a  secret  forever.  Arbitrarily  high  degrees  of  security 
could  be  achieved  by  daisy-chaining  two  or  more  anonymizers. 

When  anonymizers  appeared,  they  were  embraced  as  a 
pure  good-a  tool  that  defended  against  identity  theft  scams 
and  allowed  citizens  suffering  under  oppressive  regimes  to 
use  the  Internet  without  fear,  advancing  human  rights  and 
the  cause  of  progress.  Among  other  considerations,  in  a  world 
where  data-retention  policies  were  spreading  and  prosecu¬ 
tors  in  jurisdictions  around  the  world  seemed  increasingly 
likely  to  file  charges  against  foreign  citizens  for  violating  local 
ordinances,  anonymization  seemed  only  prudent.  In  time, 
distribution  broke  along  the  usual  lines:  open-source  solutions, 
led  by  a  program  called  TOR  backed  by  the  Electronic  Freedom 
Foundation,  and  a  proprietary  segment  of  the  industry,  domi¬ 
nated  by  Anonymizer.com  (which,  given  its  name,  prefers  the 
term  “non-attribution  solutions”). 

After  a  few  years,  how¬ 
ever,  a  new  side  to 
the  technology 
emerged, 
one 


Malware  Writers' 


Greatest  Hits 


A  breakdown  of  the  most  popular  types  of  malware, 
according  to  research  from  IBM’s  X-Force 


Troians 


Adware 


Down- 

loaders 


idc 


Dialers  other 


r 


12%  10%  6%  6%  6%  4% 


Worms 


viruses  Password  Backdoors 
Stealers 


Source:  IBM  Internet  Security  Systems  X-Force  2007  Trend  Statistics 


that  wasn’t  quite  so  pure.  Nonattribution  solutions  started  to 
be  used  to  spread  worms  and  spam.  People  on  blacklists  for  any 
reason-both  good  and  bad-discovered  that  they  could  use  the 
tools  to  evade  detection.  And  employees  found  that  anonymiz¬ 
ers  allowed  them  to  surf  the  Internet  freely  at  work,  without 
their  activities  being  detected  or  blocked  by  monitoring  and 
control  procedures.  (Some  of  these  tools  do,  after  all,  make 
sense.  According  to  Sextracker.com,  most  porn  traffic  occurs 
during  work  hours.) 

All  these  more  problematic  usages  have  triggered  a  counter¬ 
industry  and  created  something  of  an  arms  race  between  the 
anonymizers  and  the  anti-anonymizers.  One  of  the  first  anti¬ 
anonymizer  ideas  was  to  maintain  a  blacklist  of  the  proxy  sites 
and  block  requests  from  those  sites.  That  worked  for  a  while, 
but  then  the  “nonattribution”  sites  just  started  changing  their 
IP  addresses,  and  their  numbers  grew  out  of  control.  (There 
might  be  hundreds  of  thousands  of  websites  offering  anonymity 
services,  often  as  a  come-on  to  get  viewers  to  look  at  ads.) 

More  recently,  anti-anonymizers  might  try  to  restrict  access 
to  sites  that  subscribe  to  certain  certificate  authorities,  or  to 
allow  connections  only  with  a  specific  list  of  approved  sites. 
Finally,  they  might  try  to  identify  proxy  sites  by  their  behaviors, 
as  opposed  to  their  URLs.  These  “anonymization  manage¬ 
ment”  tools  are  used,  for  instance,  by  companies  that  want 
to  prevent  their  employees  from  using  anonymizers.  The 
Israeli  security  services  company  Aladdin  is  a  representa¬ 
tive  vendor  in  this  category,  as  is  8e6  Technologies,  based 
in  Orange,  Calif.  In  their  eyes,  anyway,  the  whole  good 
guy/bad  guy  layout  has  been  reversed  180  degrees  since 
those  days  when  anonymizers  were  pure  good. 

So  which  tools  ultimately  will  be  more  powerful-the 
anonymizers  or  the  anti-anonymizers?  It  might  not  matter. 
The  bottom  line  is  that  it  is  impossible  to  have  a  set  of  tools 
permitting  anonymity  without  at  the  same  time  having  a  set 
preventing  it.  The  Internet  is  like  that.  -Fred Hapgood 


April  2008  www.csoonline.com  11 


>>  BRIEFING 


APPLICATION  SECURITY 


PayPal  to  Users: 
Drop  Safari 


AND  NOW,  YOUR  LIST  OF  PAYPAL- 
APPROVED  WEB  BROWSERS 

PayPal  CI50  Michael  Barrett  caused  quite 
a  stir  this  winter  when  he  warned  against 
using  Apple’s  Safari.  “Apple,  unfortunately, 
is  lagging  behind  what  they  need  to  do  to 
protect  their  customers,”  Barrett  told  the 
IDG  News  Service,  saying  the  Web  browser 
lacked  important  antiphishing  features. 


Source:  CSOonline.com 


PREPAREDNESS 

The  Ultimate  Sick-Day  Tracker 

States  are  sharing  more  information  about  diseases  but  still  have  their  work  cut  out  for  them 


The  number  of  users  sharing  information  through  a 
Centers  for  Disease  Control  and  Prevention  system 
that  tracks  disease  outbreaks  has  more  than  tripled 
in  the  last  five  years,  according  to  an  inaugural  report 
on  public  health  prepared¬ 
ness  released  by  the  CDC  in  late  Febru¬ 
ary.  In  2006,  4,646  people  were  using 
the  system,  which  is  known  as  the 
Epidemic  Information  Exchange  (Epi- 
X)— up  from  890  in  2001.  This  increase, 
according  to  the  CDC,  is  an  indication 
that  states  have  made  progress  with 
respect  to  emergency  preparedness. 

However,  observers  note  that  there  is 
still  much  to  be  done. 

“Communication  between  the  states 
on  potential  public  health  emergencies 
is  very  important,”  says  Dr.  Joan  Pfins- 
graff,  director  of  health  intelligence  at 
ijet,  a  risk  management  consultancy 
focused  on  global  threats.  “It’s  good 
that  electronic  reporting  and  alerting 
processes  are  being  put  in  place  and 
bolstered  by  the  CDC  and  public  health 
authorities.”  Now,  she  says,  the  CDC 
needs  to  make  sure  it  can  use  the  sys¬ 
tems  in  the  event  of  an  emergency.  “The 
majority  of  work  going  forward  will  be 
related  to  making  states’  plans  opera¬ 
tional.  For  example,  if  the  pandemic 
plan  for  the  state  is  to  close  schools 
before  1  percent  of  the  population  becomes  infected,  it  needs  to  be 
sure  it  can  determine  when  the  first  cases  arrive  into  the  area  and 
that  proper  communication  is  in  place  to  carry  out  the  plan.” 


In  addition  to  increased  adoption  of  the  Epi-X  system,  the 
report,  titled  “Public  Health  Preparedness:  Mobilizing  State  by 
State,”  highlights  progress  in  the  areas  of  training,  laboratory 
testing,  response  plans,  and  disease  detection  and  investigation- 

improvements  that  have  been  possible, 
in  part,  because  of  $5  billion  the  CDC 
has  distributed  to  states  since  2002. 

In  1999,  only  12  states  had  the  abil¬ 
ity  to  receive  urgent  reports  about  dis¬ 
eases  24/7.  Now,  all  state  public  health 
departments  have  that  kind  of  access. 
In  addition,  all  states  have  emergency- 
response  plans  to  address  an  influenza 
pandemic,  as  well  as  plans  to  distrib¬ 
ute  the  Strategic  National  Stockpile’s 
caches  of  medical  supplies  in  case  of 
emergency.  The  number  of  labs  that 
can  test  and  analyze  samples  has 
doubled  since  2001,  and  all  state  public 
health  departments  have  implemented 
routine  worker  training  in  a  range  of 
emergency  response  areas. 

Going  forward,  the  report  empha¬ 
sizes  the  need  to  increase  the  use  of 
electronic  health  records  for  prepared¬ 
ness  and  networking  surveillance  sys¬ 
tems  for  response.  It  also  cites  a  need 
for  states  to  improve  their  ability  to 
dispense  vaccines  and  medication  in 
an  emergency,  and  aid  states  with  legal 
preparedness  through  the  implemen¬ 
tation  of  public  health  mutual-aid  agreements,  which  would  allow 
states  to  share  supplies  and  personnel  during  emergencies. 

-Katherine  Walsh 


12  www.csoonline.com  April  2008 


Photo  top  by  iStockPhoto.com;  below  by  AP/Wide  World  Photos 


LEADERSHIP 


WHEN 
DUMBER  IS 
ACTUALLY 
SMART 

Northrop  Grumman  CISO 
Timothy  McKnight  on  the  threat 
of  nation-based  attacks,  the 
benefits  of  identity  management 
and  the  future  of  the  CISO  role. 

Timothy  McKnight  likes  to  say  that  he’s 
doing  his  job  if  he’s  getting  dumber-in 
other  words,  if  he’s  trusting  his  staff 
members  to  advise  him  and  make 
tactical  decisions,  so  that  he  can  focus  on  the 
company’s  overall  security  strategy. 

Of  course,  as  the  CISO  and  VP  of  defense 
contractor  Northrop  Grumman,  McKnight 
actually  needs  to  be  pretty  smart.  A  former 
special  agent  for  infrastructure  protection, 
corporate  espionage  and  foreign  counterintel¬ 
ligence  at  the  FBI,  McKnight’s  number-one 
concern  now  is  helping  protect  his  company- 
and  therefore  the  U.S.  government,  Northrop’s 
biggest  customer-against  governments  that 
are  looking  to  steal  intellectual  property  and 
gain  a  competitive  advantage  over  the  United 
States.  McKnight  recently  spoke  with  CSO’s 
Katherine  Walsh  about  his  challenges. 

CSO:  Can  you  tell  me  about  the  formation 
of  the  Cyber  Threat  Analysis  intelligence 
Group  and  its  role  at  Northrop  Grumman? 

Timothy  McKnight:  That  team’s  focus  is  on 


the  nation-state  threat,  which  the  Department 
of  Defense  is  now  terming  the  “advanced 
persistent  threat."  These  are  well-resourced, 
highly  targeted  attacks  at  corporations  and 
governments  [by  groups]  that  are  looking 
primarily  to  steal  intellectual  property  and 
gain  competitive  advantage.  The  Cyber  Threat 
Analysis  Intelligence  Group  is  made  up  of 
techies  and  people  with  government  analyst 
backgrounds.  Their  job  is  to  focus  on  the 
technologies  that  are  considered  the  crown 
jewels  of  Northrop  Grumman.  They  look  at  the 
technologies  we  provide  for  the  government, 
who  the  biggest  threat  to  those  technologies  is, 
who  needs  them  the  most,  how  they  [may  be] 
targeting  that  information  and  what  we  can  do 
to  protect  against  it. 

What  do  you  perceive  your  risk  of  insider 
threat  to  be? 

It  really  depends  on  your  definition  of  that,  but 
we  know  it’s  important.  It’s  a  significant  threat 
to  the  government  and  our  company.  The 
nation  is  bleeding  intellectual  property;  the 
U.S.  dollar  is  suffering.  The  Cyber  Threat  team  is 
positioned  to  help  us  focus  on  the  insider  threat. 

What  are  some  of  your  initiatives  in  the 
identity  management  space? 

Right  now  our  focus  is  on  smart  card  one-time 
password  rollouts.  We’re  rolling  out  a  PKI  solu¬ 
tion  specialized  for  Northrop  Grumman.  We’ve 
also  built  an  external  PKI  company  called 
Certipath  with  a  few  other  companies.  We’ve 
found  that  the  smart  cards  or  PKI  ID  manage¬ 
ment  solutions  have  provided  significant  pro¬ 
tection  against  well-resourced  attacks  like  the 
advanced  persistent  threat.  We’ve  deployed 
that  to  all  our  internal  users  who  maintain 


Northrop  Grumman  CISO  Timothy  McKnight  has  to  protect  information 
such  as  how  the  F-14D  Super  Tomcat  (pictured  here  leaving  the 
deck  of  an  aircraft  carrier)  is  designed  and  manufactured. 


critical  systems  and  to  all  our  application 
folks  (about  2,000  users  in  all).  Over  the  next 
couple  of  years  we  will  roll  it  out  to  the  entire 
company  as  a  one-match  system,  where  it  will 
provide  both  physical  and  logical  access  to  the 
network. 

What  is  the  future  of  your  role  at  Northrop 
Grumman,  or  the  CISO  role  in  general? 

Ten  years  ago,  law  enforcement  and  govern¬ 
ment  types  were  moving  into  the  role  of  the 
security  officer,  but  most  of  the  hires  I’ve  made 
in  the  past  five  years  have  been  people  with 
MBAs  or  backgrounds  in  auditing  and  finance. 
The  role  is  definitely  changing,  and  the  people 
entering  into  the  field  are  very  different  than 
they  were  a  decade  ago.  At  Northrop  Grum¬ 
man,  the  role  is  becoming  more  focused  on 
risk  management. 

What’s  the  advantage  to  having  a  business 
background  rather  than  a  technical  one? 

There  are  advantages  to  both.  If  someone 
has  knowledge  of  the  technical  and  the  busi¬ 
ness,  that’s  fantastic.  But  there  are  challenges 
too.  I  recently  promoted  one  of  our  lead 
technical  people  into  an  information  security 
officer  role.  The  first  thing  I  told  him  to  do  was 
to  step  away  from  the  keyboard.  It’s  really  no 
different  from  any  management  role,  where 
you  have  to  learn  to  transition  away  from 
involvement  with  everything  (in  this  case  the 
very  technical  things)  to  letting  your  people 
make  some  of  the  decisions.  It’s  a  big  chal¬ 
lenge.  I  always  tell  my  people  that  I’m  doing 
my  job  if  I  am  getting  dumber:  I  mean  that 
in  the  sense  that  I’m  allowing  my  people  to 
advise  me,  and  I’m  doing  the  things  that  I  feel 
are  important  for  the  company-such  as  talk¬ 
ing  to  our  CFO  or  CEO  about  risk,  working  on  a 
budget,  designing  the  capital  plan  for  infosec 
and  recruiting  new  talent.  It’s  a  balance. 

Is  there  one  security  threat  in  particular 
that  keeps  you  up  at  night? 

It’s  absolutely  country-sponsored  attacks. 

For  us  as  a  company  and  what  we  do  in  the 
national  security  space,  it’s  that  advanced 
persistent  threat.  We  see  signs  that  a  digital 
Pearl  Harbor-like  scenario  is  more  realistic 
today  than  it  was  five  years  ago,  due  to  the 
inner  connectivity  of  all  these  networks  and 
the  global  nature  of  IT.  It’s  such  a  low-entry 
cost  for  any  country  or  terrorist  group.  It’s 
asymmetric;  you  can  do  it  from  anywhere.  We 
need  to  invest  more  in  protecting  against  this. 


Photo  by  AP/Wide  World  Photos 


April  2008  www.csoonline.com  13 


by  Mary  Brandel 


Rules  of  Evidence 

Searching  for  clues?  Here’s  how  to  investigate 
and  use  digital  forensics  tools 


Digital  forensics  tools  are 
intended  to  help  security 
staff,  law  enforcement  and 
legal  investigators  identify, 
collect,  preserve  and  exam¬ 
ine  data  on  computer  hard  drives  related 
to  inappropriate  and  illegal  activity,  such 
as  cybercrime,  e-mail  and  Internet  abuse, 
fraud,  financial  mismanagement,  unau¬ 
thorized  disclosure  of  corporate  informa¬ 
tion,  intellectual  property  theft,  and  so 
on.  Increasingly,  these  tools  are  also  being 
applied  to  e-discovery  efforts  related  to  civil 
litigation  and  regulatory  compliance. 

Forensics  tools  are  often  confused  with 
other  classifications  of  tools,  such  as  inci¬ 
dent  management,  e-discovery  and  data 
recovery.  But  while  they  can  be  used  for 
those  purposes,  the  difference  is  that  they 
abide  by  formal  evidence  processing  proto¬ 
cols  such  as  maintaining  a  chain  of  custody 
and  avoiding  the  alteration  or  compromise 
of  evidence,  enabling  any  findings  to  be 
successfully  used  in  a  court  of  law. 

In  short,  while  you  can  apply  forensics 
tools  to  nonforensics  work,  it  can  be  risky 
to  use  nonforensics  tools.  “If  the  evidence 
you’ve  collected  is  not  defensible  in  court, 
you’ve  severely  limited  its  later  applicability,” 
says  Jay  Heiser,  research  VP  and  analyst  at 
Gartner. 

Digital  forensics  tools  generally  provide 
three  main  capabilities: 

■  Acquisition/collection/preservation: 


Make  a  sector-by-sector  copy  of  the 
hard  drive  and  run  checks  against 
those  images  to  verify  it’s  an  exact  copy 
of  the  original. 

■  Search/analysis:  Identify,  analyze 
and  keyword- search  all  relevant  data, 
including  deleted,  encrypted,  hidden, 
protected  and  temporary  files,  as  well 
as  virtual  memory,  application  settings, 


printer  spools,  etc.  Some  packages  can 
also  detect  which  Web  ports  are  open 
and  which  processes  are  running. 

■  Reporting:  Create  a  detailed  report, 
including  a  full  audit  log.  This  can  help 
address  compliance  with  Sarbanes- 
Oxley  and  other  regulations. 

The  8oo-pound  gorilla  of  digital  forensics 
is  Guidance  Software,  which  released  its 


14  www.csoonline.com  April  2008 


Illustration  by  John  Weber 


1 

m 


You  know 
access  points. 
Gateways. 
Portals. 

Doors  are 
a  natural. 


r  J 


eeIee 


HID  Global,  the  world  leader  in  access  control, 
brings  you  EDGE™-  efficient  and  trouble-free 
IP-based  solutions  to  extend  the  network  to 
your  company’s  doors. 


HID’s  EDGE  access  control  solutions  are  designed  to  fully  leverage  your 
company’s  IT  infrastructure,  eliminating  controllers  and  connecting  easily 
with  a  network  cable  to  each  door.  Simple  to  install  and  administrate, 
EDGE  creates  tangible  cost  savings,  while  using  very  little  bandwidth. 
And,  of  course,  you  also  get  the  security,  reliability  and  support  that  have 
made  us  the  top  name  in  physical  access  control.  EDGE  from  HID.  It’s  a 
natural  move  for  the  network.  We  call  it  bringing  intelligence  to  the  door. 


: 


ACCESS  intelligence. 


>>  TOOLBOX 


EnCase  Forensic  software  in  1998.  However, 
most  investigators  work  with  a  variety  of 
tools,  and  there  are  many  commercial  and 
open-source  tools  and  utilities  available, 
from  suites  to  specialized  point  products. 
Main  competitors  are  AccessData’s  FTK 
and  AD  Enterprise;  Paraben  Software’s 
P2  suite;  and  Technology  Pathways’  Pro- 
Discover  suite.  Others  include  New  Tech¬ 
nologies’  suite  of  tools,  X-Ways  Software 
Technology’s  WinHex  utility,  StepaNet 
Communications’  DataLifte  and  ASR  Data’s 
Smart  utility.  On  the  open-source  side  is 
Sleuth  Kit  and  E-fense’s  Helix. 

In  addition  to  forensics  tools  geared 
toward  hard-drive  contents,  two  other 
types  of  tools  are  often  used  in  conjunc¬ 
tion  with  forensics  (or  e-discovery)  work, 
according  to  Mark  Rhodes-Ousley,  an 
information  security  architect  and  author 
of  Network  Security:  The  Complete  Refer¬ 
ence.  For  instance,  there  are  “survey  tools” 
that  report  on  exceptions  to  preconfigured 
thresholds,  including  intrusion  detection 
tools,  e-mail  and  log  analyzers,  Web  proxy 
reporters  and  network  traffic  analyzers,  he 
says.  In  addition,  “sliding-window”  sys¬ 
tems  observe  the  behavior  of  a  system  over 
time,  including  network  monitoring  tools 
such  as  those  from  Net  Witness,  Niksun, 
and  Sandstorm  Enterprises. 

George  Socha,  founder  of  Socha  Con¬ 
sulting,  compares  digital  forensics  to  wood¬ 
working.  “No  one  tool  will  build  a  piece  of 
furniture,”  he  says.  “Same  here— what  tools 
you  use  depend  on  what  objectives  you  have 
in  mind.” 

Key  Decisions 

Should  you  use  a  service  or  buy  soft¬ 
ware?  There  are  hundreds  of  forensics 
service  providers,  including  many  of  the 
vendors  that  sell  forensics  tools.  So  the 
question  becomes  whether  to  outsource 
this  work  or  invest  in  software.  It  stands 
to  reason  that  if  you  anticipate  several  inci¬ 
dents  per  year  or  are  in  an  industry  with 
heavy  governmental  regulations,  it  may 
be  worth  investing  in  an  in-house  solution, 
especially  if  you  can  also  put  the  tool  to  other 
uses,  such  as  e-discovery,  data  recovery  and 
incident  management.  According  to  Gart¬ 
ner,  by  2010  the  most  litigious  companies  in 
financial  services,  energy,  utilities,  pharma¬ 
ceuticals  and  high-tech  will  decrease  their 
spending  on  outsourced  e-discovery  ser¬ 


vices  by  75  percent  and  increase  their  enter¬ 
prise  software  spending  by  100  percent. 

For  Affiliated  Computer  Services,  it  was 
less  expensive  to  purchase  AD  Enterprise 
than  to  hire  outside  help  because  the  soft¬ 
ware  enables  the  company  to  respond  more 
quickly  to  requests,  according  to  Curtis 
Gatterson,  director  of  digital  forensic  and 
e-discovery  support  at  the  company.  With 
58,000  employees  in  the  U.S.,  the  central¬ 
ized  collection  network  helps  him  provide 
litigation  support  and  respond  to  internal 
inquiries  into  policy  violations  or  com¬ 
plaints  related  to  privacy  or  ethics.  “Any 
Fortune  500  company  is  going  to  constantly 
have  inquiries,”  he  says.  “With  the  amount 
of  cases  we  process  a  month,  it  would  be 
five  to  10  times  the  cost  of  what  we  spend 
with  our  more  proactive  approach.” 

Should  you  buy  single -workstation 
software  or  a  tool  that  works  over  the 
network?  Traditionally,  investigators  used 
manual  forensics  tools,  requiring  them 


to  be  physically  present  at  the  worksta¬ 
tion  from  which  they  were  extracting  data. 
However,  more  vendors  now  offer  software 
that  works  over  the  network,  using  remote 
agent  technology  to  preview  and  collect  evi¬ 
dence  without  users  being  aware  of  it.  “It’s 
much  more  efficient  than  sending  someone 
to  every  single  office  that  might  be  involved 
in  a  discovery  request,”  Heiser  says. 

Network-based  solutions  are  more 
expensive  but  should  be  considered  by 
large  or  distributed  environments.  For 
instance,  Gatterson  upgraded  to  AD  Enter¬ 
prise  after  using  EnCase  Forensic,  Access 
Data’s  FTK  and  other  tools  for  many  years. 
Previously,  “we  had  to  put  folks  on  a  plane 
to  do  collection,  which  was  resource-inten¬ 
sive  and  time-consuming,”  he  says.  Now, 
from  a  central  location  in  Dallas,  he  can  log 
in  to  the  network,  do  some  quick  searches 
and  identify  the  inquiry  subject  within  a  six- 
hour  period. 

Are  you  purchasing  the  tool  to  do 


more  than  forensics  work?  According  to 
John  Patzakis,  vice  chairman  and  chief  legal 
officer  at  Guidance,  customers  are  increas¬ 
ingly  justifying  the  cost  of  its  EnCase 
Enterprise  product  by  targeting  it  not  just 
at  forensics  but  also  at  e-discovery.  “They 
realize  they’re  spending  $30  million  to  $40 
million  on  outsourcing  their  e-discovery 
function  and  another  $10  million  to  $20  mil¬ 
lion  in  investigations,  so  the  business  case  is 
more  compelling  when  they  combine  [the 
two  processes],”  he  says. 

Both  Guidance  and  Access  Data  offer 
an  e- discovery  module  that  automates  key¬ 
word  searching  around  the  network  to  look 
for  relevant  documents  in  pending  civil  liti¬ 
gation  suits  or  for  regulatory  compliance. 

“If  you’re  trying  to  collect  all  the  files 
having  to  do  with  the  XYZ  merger,  you  may 
or  may  not  need  to  do  that  in  a  forensically 
sound  way.  But,  it’s  tough  to  make  that  deci¬ 
sion,  which  is  why  many  companies  are 
simply  buying  products  like  EnCase,”  says 


Jason  Priebe,  Of  Counsel  in  the  Chicago 
offices  of  Seyfarth  Shaw. 

Evaluation  Criteria 

Here  are  some  key  criteria  to  include  in  your 
search  for  the  best  tool: 

Courtroom  admissibility.  If  there’s  any 
chance  of  needing  to  use  the  evidence  you 
collect  in  court,  you  should  look  carefully 
at  which  tools  have  been  tested  in  a  court¬ 
room  and  how  much  success  they’ve  had 
there,  according  to  Rhodes-Ousley.  “One  of 
the  most  important  factors  to  keep  in  mind 
is  courtroom  admissibility  of  evidentiary 
data,”  he  says.  EnCase  is  not  the  only  tool 
to  fit  that  bill,  but  because  it’s  used  exten¬ 
sively  by  law  enforcement,  it’s  gained  a  lot 
of  familiarity  with  judges,  Priebe  says.  “It’s 
stood  the  test  of  experts  challenging  its  suf¬ 
ficiency,”  he  says.  “It’s  a  little  harder  when 
you  have  to  have  the  IT  person  saying,  Let 
me  tell  you  how  the  tool  works.” 

Ability  to  preserve  only  relevant  data. 


By  2010,  the  most  litigious  companies 
will  decrease  their  spending  on  outsourced 
e-discovery  services  by  75%  and  increase 
their  enterprise  software  spending  by  100%. 


16  www.csoonline.com  April  2008 


The  Usual  Suspects 


Some  tools  enable  you  to  reduce  the  vol¬ 
ume  of  data  you  preserve  by  filtering  out 
certain  types  of  files  such  as  executables.  Or 
you  might  be  able  to  narrow  down  data  by 
using  keyword  searches  or  context  search¬ 
ing  capabilities.  “It’s  not  the  blunt  instru¬ 
ment  that  grabs  everything  and  then  you 
sort  through  it  later,”  Priebe  says.  “You  can 
stage  it  on  the  storage  device  and  de-dupli¬ 
cate  it  right  then  and  there.”  E-discovery 
costs  rise  quickly  during  the  attorney 
review  stage;  “Getting  data  from  2  terabytes 
to  5GB  can  save  a  company  millions  on  one 
case,”  Patzakis  says. 

Case  management  capabilities.  Especially 
when  running  multiple  investigations,  it’s 
important  to  maintain  a  record  of  your 
activities,  as  well  as  all  the  data  objects 
associated  with  each  investigation. 

Integration.  Many  vendors  have  worked 
to  integrate  their  tools  with  other  software 
that  aids  in  forensics  work,  such  as  incident 
management,  e-mail  analysis,  decryption 
tools,  password-recovery  tools  and  so  on. 
Other  vendors  offer  preintegrated  modules 
that  extend  a  tool’s  capabilities  into  areas 
such  as  e-discovery,  password  analysis,  e- 
mail  analysis  and  incident  response. 

Do’s  and  Don’ts 

DON’T  confuse  e-discovery  with  forensics. 
Some  vendors  of  forensics  suites  are  mar¬ 
keting  their  tools  for  e-discovery  because,  in 
fact,  the  steps  involved  with  forensics  work 
are  actually  subsets  of  the  e-discovery  pro¬ 
cess,  as  defined  by  the  Electronic  Discov¬ 
ery  Reference  Model.  The  EDRM  defines 
forensics  as  encompassing  identification, 
preservation  and  collection— three  steps 
of  its  overall  model,  which  also  includes 
information  management,  review,  analysis, 
production  and  presentation.  Vendors  such 
as  Guidance  and  AccessData  also  sell  e-dis¬ 
covery  modules. 

When  using  an  e-discovery  module,  the 
tool  doesn’t  make  a  full  bit-by-bit  copy  of  the 
entire  hard  drive,  explains  Socha;  instead, 
it  uses  a  keyword  search  function  over  the 
network  to  locate  relevant  files  in  specific 
folders  or  drives,  he  says.  This  enables  the 
scan  to  happen  much  more  quickly,  accord¬ 
ing  to  Patzakis.  “It  can  scan  500  computers 
in  three  or  four  days,  which  would  take 
three  or  four  months  with  EnCase  Enter¬ 
prise,”  he  says. 

But  while  forensics  tools  can  perform  e- 


COMPANY 

WHAT  THEY  DO 

Guidance 

Software’s 

EnCase 

Considered  the  Cadillac  of  digital  forensics  tools,  EnCase  is  the  clear  market 
leader  in  digital  forensics,  with  26,000  users  of  its  single-workstation  version 
and  over  300  users  of  EnCase  Enterprise,  which  works  over  the  network.  While 
widely  accepted,  it  has  also  been  criticized  for  being  unintuitive  and  complex.  The 
latest  version  adds  a  full-text  indexing  engine,  a  native  file  viewer  and  expanded 
e-mail  support.  EnCase  is  more  expensive  than  other  options,  starting  at  $25,000. 

AccessData’s 

Forensics 

Toolkit 

With  its  release  in  January  2008  of  an  enterprise  version,  AccessData  is 
looking  to  directly  compete  with  Guidance,  with  the  claim  of  being  easier 
to  learn  and  use,  especially  with  the  help  of  wizards  for  data  acquisition, 
filtering,  case  management  and  reporting.  AD  Enterprise  contains  all 
the  capabilities  of  its  single-workstation  product  FTK  2.0,  but  it  adds  an 

Oracle  back  end,  allowing  for  advanced  data  correlation  and  reporting. 

Paraben 

Corp.  P2 

Paraben  provides  single-workstation  toolkits,  as  well  as  a  suite  that 
enables  remote  monitoring  over  the  network.  Although  it  has  an  extensive 
tool  suite,  it  has  not  caught  on  in  the  industry  as  well  as  the  EnCase  and 

AccessData  products.  Its  major  distinction  is  its  support  for  handhelds  (PDAs 
running  the  Palm  OS,  Windows  CE/Pocket  PC/Mobile  4.x,  BlackBerry  and 

Symbian)  as  well  as  cell  phones  and  global  positioning  system  devices. 

Technology 

Pathways’ 

ProDiscover 

Technology  Pathways  was  one  of  the  first  to  offer  a  remote  forensics 
capability,  but  according  to  users,  the  tool  does  not  scale  as  well  as 

AccessData  and  Encase.  Users  call  ProDiscover  a  powerful  evidence¬ 
collecting  toolset,  but  other  suites  offer  a  fuller  set  of  capabilities 
outside  of  investigate  inquiries,  such  as  HR  compliance  reviews. 

discovery  work,  Priebe  and  others  discour¬ 
age  users  from  doing  the  opposite— using 
nonforensics  tools  for  forensics  work. 
“There  are  plenty  of  companies  that  think 
if  you  use  something  like  Norton  Ghost  or 
the  WinZip  file  utility  that  it’s  an  adequate 
job,”  Priebe  says.  “And  it  may  be,  but  not 
against  a  more  skilled  opponent  who  starts 
questioning  the  adequacy  of  what  you  did 
in  court.” 

DO  train  staff  before  using  these  tools. 
The  process  related  to  a  forensics  investiga¬ 
tion  is  more  important  than  the  product  you 
use,  Gartner  says.  And  you  can’t  just  learn 
it  on  the  job— you  need  to  undergo  formal 
training.  “There  are  always  stories  of  cli¬ 
ents  who  say,  I’ve  captured  the  data;  now 
you  tell  me  what  happened,”  he  says.  “But 
at  that  point,  the  admissibility  of  the  data  in 
a  court  of  law  might  be  totally  gone.” 

“People  will,  in  good  faith,  think  they’re 
using  a  tool  and  following  a  process  that’s 
appropriate,  but  they’re  not  sufficiently 
informed  sometimes,”  Socha  says. 

DON’T  forget  PDAs.  With  increasing 
use  of  handheld  tools,  chances  are  you’ll 
someday  need  to  investigate  data  held  on 
a  PDA  or  cell  phone.  Software  that  sup¬ 
ports  PDAs  include  Palm  DD,  Pilot-link 
and  Palm  OS  Emulator,  all  open-source 
software;  PDA  Seizure  from  Paraben;  and 
Guidance’s  Duplicate  Disk  utility. 

DO  prepare  for  sticker  shock.  EnCase 


Enterprise  Version  6  starts  at  $25,000.  You 
can  spend  considerably  less  by  purchasing 
a  workstation-based  tool,  a  less  scalable 
remote-collection  tool  or  one  that  limits  its 
feature  set,  for  instance,  a  tool  that’s  strong 
in  forensics  data  collection  and  not  internal 
policy  and  compliance  investigations,  or 
one  that  eliminates  the  analysis  and  report¬ 
ing  capabilities. 

“Other  methods  are  great  for  smaller 
cases,  but  when  many  computers  are 
involved  or  it’s  a  serious  criminal  matter 
involving  something  like  the  SEC,  EnCase 
is  the  gold  standard,”  Priebe  says.  “You 
don’t  want  to  cut  butter  with  a  chainsaw, 
but  sometimes  you  need  a  chainsaw.” 

Others  contend  you  can  get  similar 
functionality  for  far  less.  Gatterson  says  it 
cost  him  about  $2  million  to  implement  AD 
Enterprise,  about  half  what  he  would  have 
paid  for  EnCase  Enterprise. 

DO  expect  to  use  more  than  one  tool. 
Although  the  trend  is  for  software  vendors 
to  try  to  be  a  one-stop  shop,  most  investiga¬ 
tors  use  more  than  one  tool.  In  fact,  NIST 
compares  forensics  tools  to  a  Swiss  army 
knife,  where  many  tools  specialize  in  cer¬ 
tain  functionality  that  needs  to  be  aug¬ 
mented  by  others.  ■ 


Mary  Brandel  is  a  freelance  writer  based  out¬ 
side  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 


April  2008  www.csoonline.com  17 


iKWBKimaWKi 


COVER  STORY  |  INFORMATION  SECURITY 


Playing  the  role  of  an  attacker 
can  make  your  team  better 
at  defense.  Here’s  how  to  run 
an  effective  simulation. 


BY  ROBIN  MEJIA 


THE  MILITARY  does  it.  The  Govern¬ 
ment  Accountability  Office  does  it.  So  does 
the  NSA.  And  the  concept  is  making  its  way 
into  the  corporate  world,  too:  war  gaming 
the  security  infrastructure. 

Red  team-blue  team  exercises  take 
their  name  from  their  military  antecedents. 
The  idea  is  simple:  One  group  of  security 
pros— a  red  team— attacks  something, 
and  an  opposing  group— the  blue  team— 
defends  it.  Originally,  the  exercises  were 
used  by  the  military  to  test  force-readiness. 
They  have  also  been  used  to  test  physical 
security  of  sensitive  sites  like  nuclear  facili¬ 


ties  and  the  Department  of  Energy’s  National 
Laboratories  and  Technology  Centers.  In 
the  ’90s,  experts  began  using  red  team- 
blue  team  exercises  to  test  information 
security  systems. 

“Really,  this  is  a  capability  and  expertise 
that  developed  naturally  here  out  of  the 
Lab’s  mission  as  one  of  the  national  nuclear 
security  agency  laboratories,”  says  John 
Clem,  Information  Design  Assurance  Red 
Team  program  manager  at  the  DoE’s  San- 
dia  National  Laboratory.  Sandia  experts 
helped  advise  the  President’s  Commission 
on  Critical  Infrastructure  Protection  in 


the  1990s,  which  led  to  the  group’s  current 
focus  on  information  security.  Clem’s  team 
has  “red-teamed”  Sandia’s  infrastructure 
and  worked  with  other  federal  agencies, 
and,  as  part  of  the  Lab’s  infrastructure  pro¬ 
tection  mission,  the  team  works  with  pri¬ 
vate-sector  companies  as  well.  Clem  notes 
the  commonly  held  view  that  85  percent  of 
the  U.S.’s  critical  infrastructure  is  owned 
by  private  enterprises.  Such  companies 
keep  oil  refineries,  nuclear  power  plants 
and  telecommunications  providers  up 
and  running  safely.  Researchers  at  Idaho 
National  Laboratory  offer  a  service  similar 


Illustration  by  John  MacDonald 


April  2008  www.csoonline.com  19 


COVER  STORY  I  INFORMATION  SECURITY 


to  Sandia’s,  sometimes  building  model  test 
beds  to  mimic  a  company’s  network. 

However,  companies  in  any  industry 
can  benefit  from  a  red  team-blue  team 
exercise.  SANS  hosted  a  cyberwarfare 
event  at  its  2007  Las  Vegas  trainings  in 
which  a  red  team  attacked  a  fake  company 
it  called  GIAC  Enterprises,  supposedly  the 
world’s  largest  provider  of  fortunes  for  for¬ 
tune  cookies.  In  February  of  this  year,  eBay 
ran  a  red-team  exercise  with  various  CISO 
and  vendor  invitees.  For  those  who  missed 
the  fortune  cookie  attack  or  eBay’s  confab, 
we’ve  collected  tips  on  how  to  get  the  most 
out  of  your  own  infosecurity  red  team-blue 
team  simulation. 

Get  the  Right  People  to  Your 
Kickoff  Meeting 

“I  start  by  getting  the  admin  and  security 
people  in  the  same  room,”  says  Michael 
Assante,  an  infrastructure  protection  strat¬ 
egist  at  Idaho  National  Laboratory  (INL).  “I 
have  the  security  team  do  a  thorough  analy¬ 
sis  of  what  we  have  in  place.” 

This  is  one  of  the  easiest  ways  to  iden¬ 
tify  security  vulnerabilities,  and  it  also 
helps  with  an  issue  key  to  any  successful 
red  team-blue  team  exercise:  buy  in.  Yes, 
it’s  one  of  the  most  overused  phrases  in  a 
consultant’s  vocabulary,  but  the  approval 
of  management  and  employees  is  essential 
when  testing  information  security  systems. 

The  goal  of  a  red  team-blue  team  exer¬ 
cise  is  not  just  to  identify  holes  in  security, 
but  to  train  security  personnel  and  manage¬ 
ment.  If  not  everyone  agrees  on  the  value 
of  the  exercise,  it  can  quickly  devolve  into 
defensive  posturing  and  wasted  time.  After 
all,  you  may  be  asking  higher-ups  for  the 
time  and  budget  required  to  fix  flaws  the 
exercise  discovers. 

An  initial  assessment  may  identify 
changes  that  need  to  be  made.  Then,  it’s 


time  to  get  started. 

Attack  the  Whiteboard 

The  simplest  version  of  a  red  team-blue 
team  exercise  requires  little  more  than  a 
conference  table.  Divide  your  security  staff 
into  teams,  and  spend  an  afternoon  talking 
through  possible  attack-defend  scenarios. 
The  key  element  for  success  is  a  red  team 
that  can  get  into  the  mind-set  of  an  attacker. 

“Red-teaming  is  a  thought  process,” 
explains  Tom  Anderson  of  INL.  “The  prob¬ 
lem  with  having  the  people  who  built  [the 
security  system]  do  it  is  they  have  an  inter¬ 
est  in  protecting  it.”  To  combat  self-interest 
and  homogeneity,  Anderson  and  Assante 
create  diversified  teams  where  experts  from 
INL  work  alongside  staff  from  the  company 
they’re  assisting. 

That’s  not  to  say  you  can’t  do  it  on  your 
own,  but  it’s  important  to  at  least  try  to 
think  like  an  outsider.  “A  lot  of  times  when 
we  develop  security  systems,  it’s  to  keep  the 
honest  person  honest,”  explains  Assante. 
An  attacker  will  disregard  more  than  rules; 
he  or  she  will  disregard  the  company’s 
norms.  Consider  who  your  attackers  may 
be.  Power  plants  may  be  targeted  by  terror¬ 
ists.  Banks  by  criminals.  Anyone  by  a  dis¬ 
gruntled  ex- employee.  It  can  take  time  and 
effort  to  step  back  and  view  the  system  like 
an  outsider,  or  even  an  insider  who  intends 
to  harm. 

One  of  the  values  of  a  tabletop  exercise 
is  that  it  lets  players  consider  the  system  as 
a  whole.  Most  companies  that  don’t  house 
nuclear  materials  are  unlikely  to  engage  in 
full-scale  physical  exercises  with  armed 
forces  storming  their  building,  but  it’s 
important  to  consider  physical  security 
when  developing  whiteboard  attacks. 

“Physical  systems  have  to  protect  the 
cybersystems,  and  the  cybersystems  have 
to  protect  the  physical  systems,”  says  Ray 


Parks,  leader  of  the  Sandia  Red  Team.  “The 
first  thing  the  guys  designing  physical  secu¬ 
rity  systems  say  to  me  is  usually,  The  back¬ 
bone  of  our  security  is  a  gigabit  Ethernet.” 
Knock  that  out  (by  cyber  or  physical  attack) 
and  suddenly  the  physical  access  control 
system  is  out  of  commission. 

The  conference  room  exercise  is  espe¬ 
cially  important  for  companies  that  have 
never  attempted  a  red  team-blue  team 
exercise  before.  “Just  by  doing  a  tabletop 
exercise,  you  can  learn  a  lot  about  your 
risk,”  says  Assante. 

And,  strange  as  it  sounds,  keeping 
things  hypothetical  provides  a  learning 
opportunity  that  an  actual  cyberattack 
by  high-end  pros  may  not.  In  a  recent 
paper,  Greg  B.  White,  the  director  of  the 
Center  for  Infrastructure  Assurance  and 
Security,  called  red-team  attacks  on  truly 
unprepared  targets  “roughly  equivalent 
to  army  recruits  attempting  to  defend  an 
installation  from  a  group  of  elite  paramili¬ 
tary  forces.  Ultimately,  the  recruits  would 
learn  they  weren’t  ready,  but  the  exercise 
wouldn’t  provide  any  training  to  make 
them  ready.” 

A  tabletop  exercise  provides  the  oppor¬ 
tunity  to  reflect  and  assess  response  options 
as  well  as  attacks.  And  then  think  about 
what  possible  breaches  might  mean. 

“What  is  the  top  end  consequence?”  says 
Assante.  “A  $10  million  loss?  Regulatory 
risk?  Is  the  safety  of  employees  at  risk?  Or 
customers? 

Red-Team  the  Network 

Once  you’ve  fixed  the  holes  your  white¬ 
board  exercises  identified,  however,  a  live 
attack-and-defend  exercise  can  provide  a 
whole  new  level  of  insight,  but  it’s  not  an 
activity  to  be  taken  on  lightly.  In  some  cases, 
vulnerabilities  can  be  safely  demonstrated 
on  a  live  corporate  network,  but  it’s  not  wise 


mum  ■  ■  ■ umurmmummmuui  ■■■WaW.WAVi1.1.1. 

“Red-teaming  is  a  thought  process/’ 

explains  Tom  Anderson  of  INL  “The  problem  with 
having  the  people  who  built  [the  security  system]  do 
it  is  they  have  an  interest  in  protecting  it.” 


20  www.csoonline.com  April  2008 


to  launch  a  real  attack  against  your  produc¬ 
tion  systems. 

“Certain  kinds  of  systems  should  almost 
never  be  subjected  to  live  penetration  test¬ 
ing,”  notes  Clem.  When  he  works  with 
companies  that  rely  on  SCADA  (Supervi¬ 
sory  Control  and  Data  Acquisition)  systems 
to  keep  plants  up  and  running— common 
in  industries  such  as  power  generation  and 
oil  and  gas  refineries— Clem  works  on  test 
networks  not  connected  to  the  com¬ 
pany’s  process  controls. 

Assante  says  that  at  Idaho 
National  Labs,  his  team  has  built 
client-specific  test  beds  that  mimic 
the  company’s  real  network  in  order 
to  offer  what  he  calls  “facilitated 
immersive  training.”  Some  of  the 
network  and  security  staff  try  to 
defend  the  network  while  others 
join  Assante’s  red-team  colleagues 
in  attacking  it. 

“This  gives  the  blue  team,  the 
defenders,  confidence,”  says 
Assante.  “It’s  also  very  useful  to  the 
red  team.  You  see  vulnerabilities  in  a 
whole  new  light.  And  they  bring  that 
training  back”  to  their  coworkers. 

Giovanni  Vigna  is  an  associate 
professor  in  the  computer  security 
group  at  UC  Santa  Barbara’s  depart¬ 
ment  of  computer  science.  The 
majority  of  his  students  go  to  work 
for  startups  or  as  security  consul¬ 
tants.  At  the  end  of  the  fall  semester 
each  year,  for  his  class  final,  Vigna 
stages  a  Capture  the  Flag  competi¬ 
tion,  a  sophisticated  red  team-blue 
team  exercise  in  which  all  teams 
both  attack  and  defend.  It’s  such  a 
popular  event  that  he’s  expanded 
the  competition  to  other  universi¬ 
ties;  last  December,  classes  from  3 6  teams 
across  four  continents  participated. 

“If  you’re  given  a  website  and  you  have 
to  break  into  it,  that’s  an  incredibly  valu¬ 
able  experience,”  says  Vigna.  “You  can 
read  about  PHP  file  inclusion  and  how  it’s 
a  problem,  but  once  you  exploit  one  of  those 
goodies,  you  really  understand  what’s 
going  on.” 

Red-Team  Your  Users 

Even  at  National  Labs,  employees  are  often 
the  weakest  link  in  a  security  plan.  But  even 
if  you  don’t  have  to  worry  about  employees 


copying  classified  material  onto  home  com¬ 
puters,  it’s  important  to  think  about  how 
an  enemy  could  exploit  weaknesses  in  your 
employees’  behavior. 

Do  they  prop-open  automatic  doors? 
Click  on  e-mail  attachments  from  strang¬ 
ers?  You  can  test  for  these  problems  and 
similar  ones.  Assuming  you  have  a  written 
security  policy  and  employees  are  aware 
of  it,  you  may  not  want  to  announce  a  red- 


team  exercise,  since  your  goal  is  to  deter¬ 
mine  the  risks  of  normal  behavior.  Assante 
and  Anderson  have  left  USB  devices  lying 
around  office  buildings  to  see  who  picked 
them  up  and  plugged  them  into  their 
computers.  They’ve  also  sent  phishing  e- 
mails  to  employees  to  see  who  would  take 
the  bait. 

As  with  earlier  exercises,  consider  the 
possible  consequences  of  these  actions, 
and  also  how  you  can  use  the  exercise  to 
provide  training.  Think  scary  blue  warn¬ 
ing  screens  when  users  click  through  bad 
links  in  spam. 


Rinse  and  Repeat 

If  you’ve  done  all  these  things,  you’re  prob¬ 
ably  feeling  pretty  good  about  your  infor¬ 
mation  security,  and  you  should.  But  not 
for  too  long.  Any  CSO  worth  his  or  her  salt 
knows  security  is  a  moving  target.  Bad  guys 
are  adapting.  Even  more  important,  your 
network  is  changing.  In  all  likelihood,  so  is 
your  employee  base. 

Sandia’s  Parks  recalls  visiting  a  client 
that  had  implemented  a  dual  man- 
trap  door  system  in  front  of  a  secure 
area.  However,  the  badge-swipe 
controller  that  opened  the  doors 
was  housed  in  the  regular  corporate 
office  and  also  connected  to  systems 
in  the  human  resources  depart¬ 
ment.  The  result  was  that  access  to 
the  “secure”  area  was  controlled  by 
systems  located  in  non-secure  areas. 
The  badge- swipe  system  had  been 
designed  for  building  access.  Then, 
later,  the  government  mandated  the 
man-trap  dual  door  system,  so  the 
company  simply  extended  a  badge- 
swipe  system  it  already  had  in  place. 
“They  hadn’t  thought  about  the 
fact  that  the  badge  system  wasn’t 
designed  for  that,”  says  Parks. 

Red-teaming  helps  companies 
understand  the  unintended  con¬ 
sequences  of  those  kinds  of  deci¬ 
sions,  and  not  just  at  companies 
with  double-door  systems.  Sandia’s 
red  team  developed  a  specialty  in 
wireless  security  because  the  need 
appeared. 

“Many  people  migrate  from  a 
wired  network  to  a  wireless  one 
assuming  it  works  exactly  the  same, 
because  from  their  perspective 
it  does  work  the  same,”  explains 
Parks.  “They  don’t  realize  that  there  are  dif¬ 
ferent  characteristics  that  provide  different 
attack  surfaces.” 

“Red-teaming  is  good  at  helping  the  cus¬ 
tomer  understand  interdependencies,”  says 
Clem,  who  advocates  bringing  a  red-team 
mentality  to  design  decisions.  He  wants  his 
clients  to  think,  How  does  that  added  func¬ 
tionality  affect  security?  What  could  the 
bad  guy  do  if  we  do  that?  ■ 

Robin  Mejia  is  a  freelance  writer  based  in  Cali¬ 
fornia.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


April  2008  www.csoonline.com  21 


part  two  in  a  series.  As  search  engine 
optimizers  played  fast  and  loose,  a  reaction 
from  the  search  engine  companies  became 
inevitable.  Now  SEOs  are  forced  to  choose 
hats:  black  or  white,  by  scott  berinato 


In  part  one  of  our  series  on  the  collision  of  search 
engine  optimization  and  black-hat  hacking  (see 
our  March  cover  story,  “Gaming  the  System”),  we 
explored  how  search  engine  optimizers,  or  SEOs, 
have  learned  tricks  that  change  the  search  results 
that  drive  much  of  the  traffic  to  successful  websites. 

(The  practice  of  search  engine  optimization  is  also 
called  SEO.)  Many  of  these  upstart  entrepreneurs  have 
made  small  fortunes  as  SEO  consultants.  Many  also  use 
SEO  to  drive  traffic  to  their  own  sites  that  sell  products, 
ads  or  referrals— a  business  known  as  search  marketing. 

We  explored  how  the  tactics  of  SEO  include  some 
unsavory  ones  that  range  from  digital  fibs  to  aggres¬ 
sive  deception.  The  tricks  are  called  black-hat  SEO, 
though  that’s  something  of  a  misnomer  since,  as  SEOs 
like  to  say,  they  don’t  break  the  law,  just  the  search 
companies’  terms  of  service.  The  search  companies 
tried  to  stay  ahead  of  black-hat  SEO  by  tweaking 
their  algorithms  and  adding  filters  that  penalize 
sites  for  questionable  tactics.  Increasingly,  though,  it 
looked  as  if  the  combined  forces  of  SEO  and  black-hat 
hacking  would  be  too  much  for  any  algorithm.... 


As  search  companies  have  tried  to  contain  the 
more  aggressive  techniques  that  SEOs  were 
using  to  manipulate  search-engine  rankings, 
black-hat  SEOs  have  responded  by  circum¬ 
venting  the  rules.  Rather  than  just  using 
loopholes,  they  began  actively  abusing  the  algorithms  used  to 
determine  search  engine  results.  The  tactics  became  so  aggres¬ 
sive  that  the  SEOs  started  to  make  the  search  engines  look  bad: 
Search  results  started  to  reflect  the  SEO’s  reality,  rather  than  a 
reality  that  rewarded  good  sites.  Like  all  arms  races,  this  one 
eventually  escalated  to  an  untenable  level.  The  game  had  to 
change  again.  And  it  did,  about  18  months  ago. 

Suddenly  and  without  much  warning,  search  compa¬ 
nies— Google  especially,  the  SEOs  say— decided  to  enforce  its 
terms  of  service,  and  severely.  The  algorithms  wised  up  some, 
but  more  than  that,  it  appeared  that  Google  was  buttressing  its 
algorithm  with  filters  and  manual  labor.  If  enough  complaints 
came  in  about  a  site  using  black-hat  tactics,  Google  would  man¬ 
ually  adjust  the  rankings  or  simply  blacklist  the  site— a  process 
SEOs  call  a  “hand  job.” 

Some  SEOs  and  search  marketers  were  surprised.  The  top 
SEOs  generally  maintained  good  lines  of  communication  with 
Google  and  other  search  companies.  Some,  like  Jeremy  Schoe- 


22  www.csoonline.com  April  2008 


ilMiniitiiiffMiMfihtiirirt  2  m  i ■ — m 


SEO,  PART  2 


maker— a  search  marketer  known  online  as  Shoemoney— 
would  even  periodically  ask  for  advice  on  SEO  techniques  and 
whether  they’d  get  him  in  trouble. 

But  now  the  search  companies  were  matching  the  SEOs’ 
aggressiveness.  The  effect  could  be  devastating.  A  site  that  was 
blacklisted  lost  its  traffic,  and  therefore  its  business,  overnight. 
Usually  targeted  sites  clearly  violated  search  terms  of  service. 
But  some  weren’t  doing  anything  differently  than  they’d  been 
doing  for  months  or  years.  “When  people  are  ranking  for 
a  phrase  and  supporting  their  family,  and  then  the  next  day 
they’re  off  the  map,  that’s  really  vicious,”  says  Schoemaker. 
“You  can  literally  ruin  someone’s  life.” 

Of  course,  Google  could  make  the  argument  that  turnabout 
is  fair  play.  Perhaps  enforcement  was  brusque  and  arbitrary, 
but  so  is  black-hat  SEO.  Nothing  Google  was  doing  was  illegal, 
which  was  an  argument  the  black-hat  SEOs  had  made  for  years. 
Plus,  as  early  as  2006,  Matt  Cutts,  Google’s  chief  liaison  to  the 
SEO  community,  had  blogged  about  the  ramp-up  in  enforce¬ 
ment  against  overly  aggressive  SEO. 

Even  before  that,  the  veteran  SEO  Eric  Ward  warned  others 
that  eventually  the  free  ride  would  end.  Ward  was  notorious 
for  his  cautious,  by-the-book  approach  to  link-building  strate¬ 
gies.  Some  called  him  “a  poser,”  “arrogant”  and  “retarded,”  and 


bestowed  him  with  the  nickname  “Linkmoses.” 

“I  understand  why  [the  search  engines]  are  doing  it,  but 
their  enforcement  has  become  a  little  heavy-handed,”  says 
SEO  Michael  Gray.  Says  Aaron  Wall,  another  SEO:  “Google 
went  on  a  crusade.” 

The  Aftermath  of  the  Crusade 

AS  FRUSTRATING  AS  delisting  was  for  companies  suddenly 
punished  by  SEO  enforcement,  getting  relisted  proved  to  be  a 
much  worse  problem.  SEOs  and  site  owners  found  themselves 
stuck  with  little  communication  from  the  search  companies 
about  what  they  had  done  wrong  or  how  to  fix  it  to  get  back  in 
the  good  graces  of  the  algorithms.  Schoemaker  himself  lost  the 
top  spot  for  ring-tone  searches. 

“I  was  making  thousands  of  dollars  a  day,  and  then  one 
day  I  was  out  of  Google,”  he  says.  “I  inquired  why  and  never 
really  got  an  answer.  They  said  it  was  normal  search  engine 
fluctuation”— fluctuation,  he  notes,  that  also  can  be  caused  by 
black-hat  SEOs.  “I  probably  got  gamed  out,”  he  suggests.  He 
currently  ranks  about  tenth  in  ring  tones. 

Google  also  partnered  with  Stopbadware.org  to  blacklist 
sites  that  were  potentially  infected  with  malware.  Last  Sep¬ 
tember,  a  Web-hosting  company  in  Thailand  was  hacked  and 


April  2008  www.csoonline.com  23 


SEO,  PART  2 


several  sites  that  used  the  host  were  flagged  on  Google,  so  that 
if  users  clicked  on  a  link  to  the  site,  an  intermediate  screen 
popped  up  warning  them  that  the  site  they  were  about  to  visit 
was  potentially  infected.  Obviously,  people  rarely  visit  a  site 
after  that  kind  of  warning.  The  owner  of  the  hosting  company, 
Daniel  Peterson,  says  that  after  he  had  cleaned  up  the  sites, 
nothing  had  been  done  to  get  those  blocked  sites  relisted  in 
Google  search  results.  “No  one  seems  to  want  to  do  anything, 
and  the  blacklisting  is  now  seriously  damaging  our  businesses,” 
Peterson  wrote  in  an  e-mail. 

He  is  particularly  concerned  about  a  boutique  hotel  in  Pat- 
taya  called  Rabbit  Resort.  Peterson  wrote:  “Rabbit  Resort  seri¬ 
ously  relies  on  their  Google  listing  and  normally  receives  50 
to  60  visitors  every  day.  Most  of  these  become  bookings.  They 
now  receive  one  every  day  or  so.  With  more  than  60  staff  to 
employ,  they  now  risk  financial  ruin  and  disaster.”  (The  sites 
were  eventually  relisted). 

Roger  Thompson,  the  blogger  for  Exploit  Prevention 
Labs,  cites  another  recent  case,  in  which  search  results 
for  “saints  football  club”  brought  up  a  number  of  Aus¬ 
tralian  soccer  team  sites  that  were  labeled  as  potentially 
containing  malware.  Thompson  notes  that  another  site 
had  this  happen.  “Ki-usa.net...used  to  be  the  number-one 
organic  result  when  people  searched  for  kl.  They  were  hacked 
for  about  10  days,  and  then  cleaned,  but  in  the  meantime,  they 
had  earned  the  ‘This  site  may  harm  your  computer’  label,  and 
over  the  next  12  months,  before  the  label  was  removed,  their 
rating  slipped,  and  slipped,  until  finally  it  was  nowhere  on  the 
first  three  pages.” 

Most  of  the  soccer  sites  were  marked  clean  within  days,  not 
months,  suggesting  Google  has  improved  in  the  relisting  game. 
“We  can  always  try  to  do  better,”  says  Cutts,  the  Google  liaison. 
“We’re  trying  to  be  as  responsive  as  possible.” 

But  Thompson  notes,  “This  happens  quite  a  bit,  and  I  must 
admit  that  I’m  surprised  no  one  has  accused  Google  of  damag¬ 
ing  their  brand.” 

“Our  webmaster  guidelines  are  clear,”  says  Cutts,  who  noted 
that  Google  made  this  policy  in  anticipation  of  problems  with 
sites  using  others  to  goose  their  rankings.  “We  say  that  ulti¬ 
mately  you  are  responsible  for  what’s  on  your  site. 

If  the  scam  is  on  your  page,  that’s  what  is  caus¬ 
ing  damage.  We’ll  do  whatever  we  can  to  try 
to  help,  but  ultimately  if  there’s  spam  content 
on  your  pages,  we’re  willing  to  remove  that 
content,  and  then  hopefully  cycle  that  back  in 
when  it’s  cleaned  up.” 

RSnake,  a  security  expert  with  experi¬ 
ence  in  Web  advertising  and  SEO  who  runs 
ha.ckers.org,  says  that  no  matter  how  blunt 
and  overzealous  enforcement  has  become, 
that’s  not  the  problem  with  Google’s  approach 
to  enforcement.  It’s  that  the  policy  that  Cutts 
is  referring  to  is  ultimately  faulty,  because  it’s 
based  on  a  false  premise. 


“Google  can  shut  you  down  at  any  time,”  says  RSnake.  “But 
there  are  all  kinds  of  weird  things  that  could  happen  to  you, 
upstream  problems,  a  proxy  goes  bad,  someone  takes  over  your 
site,  and  there’s  no  way  for  you  to  explain  that  it  might  not  be 
your  fault.  They’re  making  false  assumptions  about  how  the 
Internet  works,  which  is  that  the  owner  of  the  IP  address  is 
always  in  control  of  what  happens  through  that  IP  address.” 
(Indeed,  some  black-hat  SEOs  seized  on  the  opportunity  and 
complained  about  competitors’  sites  in  hopes  that  they  could 
get  them  manually  pushed  out  of  the  rankings.) 

Still,  Google’s  policy  of  flagging  sites  and  aggressively 
delisting  any  site  using  black-hat  SEO  remains  in 
place,  and  by  January  of  this  year,  Ward  felt  vindi¬ 
cated  for  his  conservative  approach  to  SEO.  About  the 
crackdown  on  black-hat  SEO,  a  gloating  Linkmoses 
(he  has  embraced  the  nickname)  wrote  a  blog  entry,  “Don’t 
Blame  Google  for  Your  Linking  Failures”: 

In  2007,  many  long-practiced  link  building  tactics 
stopped  being  effective.  Many  link  building  companies  and 
consultants  sold  the  exact  tactics/services  that  are  now 
useless.  Why  didn’t  you  see  this  coming,  and  if  you  did, 
why  did  you  sell  those  services  in  the  first  place  and  what 
services  will  you  sell  now?...  Are  you  really  going  to  tell  me 
you  are  shocked  that  Google  no  longer  thinks  a  link  from 
link-o-matic,  link-to-my-loo,  and  LinksForNoGood 
Reason.com  are  of  any  value?  Please.  But  if  you  knew  that 
such  links  would  someday  lose  value,  why  did  you  take 
money  for  that  very  service?  A  nd  if  you  didn  ’t  honestly 
know  such  links  were  pointless,  how  can  you  call  yourself  a 
link  builder?  Google’s  focus  on  trusted  sources  is  your  worst 
nightmare. 

The  Devil  They  Didn’t  Know 

CERTAINLY  GRAY  TECHNIQUES  are  still  being  used  by 
SEOs,  and  they  always  will  be;  Schoemaker  recently  uncov¬ 
ered  a  ring-tone  business  that  had  come  up  with  a  way  to  take 
up  all  the  Google  AdWords  paid-links  results  for  any  given 
search.  He  estimated  that  the  scheme  could  net  $1  million  in 
four  months,  and  he  was  surprised  Google  hadn’t  banned  the 
company  yet. 

Still,  the  crackdown  has  had  an  effect.  It  appears  to  be  cleav¬ 
ing  the  business.  Many  SEOs  are  going  more  white  hat,  if  you 
will,  and  a  few  have  decided  to  go  full-out  black  hat— a  phe¬ 
nomenon  that  security  researcher  Jeremiah  Grossman 
calls  “SEOwN3d!!i”,  a  mash-up  of  SEO  and  hacker 
slang  for  compromising  a  site. 

Some  decided  that  the  free  ride  was  over,  and 
they  cleaned  up  their  act.  They’ve  adjusted  to 
the  new  rules  of  the  playground.  The  noted 
SEO  David  Naylor  gave  up  black-hat  SEO 
and  even  abandoned  jobs  for  which  his 
revenue  would  be  based  on  traffic  volume. 
Instead  he  works  on  retainer  and  consults  for 
flat  fees— trading  in  the  potential  for  periodic 


24  www.csoonline.com  April  2008 


obscene  windfalls  for  a  less  outrageous,  more  stable  income. 
“If  I  slip  off  that  first  page,  I  still  get  paid  now,”  he  says.  “And 
I’ve  got  a  team  of  guys  I’ve  got  to  feed.  It  was  a  total  business 
decision.” 

Cutts  of  Google  believes  this  is  the  primary  trend.  “I  pri¬ 
marily  see  growth  in  white-hat  SEO.  Most  are  savvy  enough 
to  know  that  they  can’t  afford  to  be  delisted.  The  industry  as  a 
whole  is  heading  toward  white-hat  SEO.”  But  he  also  concedes 
the  point  that  hackers  and  SEOs  “are  getting  a  little  more  affili¬ 
ated,  and  more  SEOs  are  delving  into  that  world.” 

They’ve  cleaved  the  other  way,  crossing  into  the  realm  of 
the  illegal  to  keep  the  game  going.  If  Google  won’t  let  black-hat 
SEOs  build  link  farms  or  stuff  comments  fields  with  links,  then 
they  will  exploit  legitimate  sites  and  use  them  as  cats’  paws  in 
their  schemes.  Of  course,  an  early  target  has  been  .edu  domains. 
“Almost  all  of  the  .edu  hacks  now  are 
for  SEO,”  says  RSnake.  “Not  just  a 
few  of  the  big  hacks.  I  mean  almost 
all  of  them.”  Domains  with  .mil 
extensions,  which  also  pass  “juice” 

(SEO  lingo  for  tactics  that  increase 
Web  rankings),  are  targets  now,  too. 

Primary  entries  into  sites  are 
XSS,  SQL  injection  and  FTP  vul¬ 
nerabilities  that  allow  strangers  to 
manipulate  the  site.  Hackers  tradi¬ 
tionally  used  those  vulnerabilities 
to  insert  bots  on  a  site  for  distrib¬ 
uting  spam,  stealing  personal  data 
or  some  other  scam.  Now  they  are 
being  used  to  stuff  links  on  the  page. 

They  hide  the  links  by  making  them 
the  same  color  as  the  background 
(an  old  technique  for  keywords 
made  new)  or  by  simply  cloaking 
them,  so  that  the  spiders  see  them 
but  people  do  not. 

If  the  site  gets  good  traffic— like  A1  Gore’s  ecology  blog— 
those  hidden  links  get  good  juice.  Another  scam  uses  the  bots 
to  give  redirect  commands  that  send  browsers  to  link  farms. 
Recent  headlines  illustrate  this:  “Forth  Road  Bridge  hack  redi¬ 
rects  to  smut  bazaar”  and  “Perl.com  sends  visitors  to  porn  link 
farm.”  Many  SEOs  said  hacking  and  surreptitious  linking  are 
rampant  on  social  networking  sites,  and  blog  platforms  like 
WordPress  (where  A1  Gore’s  blog  lived)  are  under  constant 
attack  as  hackers  look  for  high-traffic  zones  to  plant  their  links 
and  their  bots. 

Another  illegal  technique  a  bot  might  be  used  for  is  cookie 
stuffing.  Here’s  one  cookie-stuffing  scheme:  Around  tax  time, 
a  hacking  SEO  uses  compromised  sites  to  secretly  inject  cook¬ 
ies  onto  the  computers  of  site  visitors.  On  those  cookies  are 
referral  links  to  the  tax  prep  websites.  If  my  machine  had 
been  stuffed  with  one  of  those  cookies,  the  person  who  put  it 
there  would  collect  a  referral  fee  when  I  signed  up  to  use  one 


the  tax  prep  sites. 

Many  experts  believe  this  is  only  the  beginning  and  that, 
because  there’s  so  much  money  to  be  made  off  the  search  busi¬ 
ness  model,  the  techniques  will  get  more  sophisticated  and  far 
more  clever.  “From  my  point  of  view,”  says  Grossman,  “it’s  just 
getting  started.” 

Even  Linkmoses  held  no  illusions  that  Google’s  crackdown 
would  eliminate  black-hat  SEO.  “Enforcement  means  higher 
rankings  will  go  to  creators  of  truly  awesome  content,  and  bad 
guys,”  he  says.  “It’s  been  a  game  of  leapfrog  since  day  one.  There 
won’t  ever  be  a  time  when  people  won’t  game  the  system.” 

David  Naylor  believes  that  black-hat  SEO  has  gotten  so 
good  that  search  itself  is  being  devalued.  Trust  has  eroded. 
“You  type  a  search  into  Google  and  believe  what  comes  back 
in  the  number-one  slot  is  the  truth,  and  it’s  not,”  he  says.  “It’s 

often  some  version  of  the  truth  engi¬ 
neered  by  very  clever  people  trying 
to  make  a  lot  of  money.” 

The  SEOwN3d!!l 
Effect 

JUST  AS  AUGURIES’  decisions 
about  the  observed  flight  patterns 
of  birds  reverberated  through  Rome, 
affecting  religion,  the  outcomes  of 
wars  and  the  fate  of  rulers,  so  too  do 
the  effects  of  SEO  schemes  ripple 
across  the  Internet— affecting  how 
SEO  is  used,  what  it’s  good  for  and 
what  it  will  look  like  in  the  future. 

As  SEO  migrates  to  illegal  activ¬ 
ity,  the  primary  effect  is  the  col¬ 
lateral  damage  it  creates.  A  report 
from  Websense,  the  Internet  fil¬ 
tering  company,  estimated  that  51 
percent  of  sites  hosting  malware 
now  are  legitimate  sites  that  have  been  compromised,  and 
many  of  those  are  compromised  for  SEO  and  search  market¬ 
ing  schemes. 

A  simple  cookie-stuffing  program  illustrates  the  havoc 
SEOs  and  search  marketers  can  create.  Cookie  stuffing 
involves  the  illegal  access  of  an  innocent  site,  which  is  then 
used  to  serve  illicit  code  to  customers  without  their  knowledge, 
based  on  their  arriving  there  through  a  search  engine.  Mean¬ 
while,  a  company  is  paying  referral  fees  to  search  marketers 
who  haven’t  earned  that  fee  while  possibly  taking  those  fees 
away  from  people  who  had  earned  them  but  whose  legitimate 
referrals  were  overwritten  by  the  cookie  stuffier. 

So  those  who  run  the  hacked  site  are  mad  at  the  hacking 
SEO.  Customers  are  mad  at  the  hacked  site  and  at  the  search 
engine  for  bringing  them  to  a  hacked  site.  A  company  is  mad 
about  paying  money  to  someone  who  didn’t  earn  it,  while 
someone  who  should  have  earned  it  is  mad  at  the  company  and 
the  other  hacking  SEO. 


“Are  you  really 
going  to  tell  me 
you  are  shocked 
that  Google  no 
longer  thinks  a 
link  from  link- 
o-matic,  link- 
to-my-loo,  and 
linksiorNoGood 
Reason.com 
are  of  any 
value?  Please.” 


April  2008  www.csoonline.com  25 


SEO,  PART  2 


Where  there’s  collateral  damage,  there’s  litigation.  A  few 
lawyers  have  started  looking  at  the  space  as  possible  fertile 
ground. 

“It’s  quite  possible  that  the  next  few  years  will  see  some 
lawsuits  against  providers  that  allege  the  use  of  SEO  tactics,” 
writes  James  Grimmelmann  in  an  Iowa  Law  Review  article  from 
last  November  about  the  ambiguous  state  of  search  engine  law. 
While  he  notes  some  challenges  of  suing  based  on  SEO,  he  also 
notes,  “Courts  have  recognized  that  some  techniques  of  con¬ 
tent  design  are  deceptively  manipulative  and  cause  harm  to 
legitimate  providers,  and  it  is  possible  that  innovative  pleading 
could  properly  state  other  business  torts  against  manipulators. 
Similarly,  luring  users  to  one’s  content  through  SEO  raises  sig¬ 
nificant  false-advertising  concerns.  In  these  cases,  competitors, 
users  and  consumer-protection  agencies  might  all  be  proper 
plaintiffs.” 

But  that’s  speculation.  Naylor, 
among  others,  says  that  aggres¬ 
sive  and  illegal  forms  of  SEO  have 
already  had  more  tangible  effects 
on  the  Internet  and  what  it’s  good 
for— or  rather  what  it’s  no  longer 
good  for. 

“One  of  the  things  black-hat 
SEOs  did,  and  did  very,  very  well, 
was  to  go  into  Web  landscapes  and 
just  destroy  them,”  says  Naylor.  “I 
mean,  at  one  time  people  liked  hav¬ 
ing  guest  books  on  their  sites,  and 
SEOs  just  filled  them  with  all  these 
links  to  the  point  they  became  unus¬ 
able.  Now  why  would  you  have  a 
guest  book?  It’s  asking  for  trouble. 

Why  would  you  let  people  put  com¬ 
ments  on  your  blog?  Are  you  crazy?” 

The  optimizers  are  changing  what’s  valuable  online,  by 
changing  what  looks  valuable  because  it  ranks  high  in  a  search. 
Black-hat  SEOs,  and  now  hacking  SEOs,  are  so  good  at  their 
craft  that  they  force  search  companies  to  constantly  change  the 
algorithms  and  filters.  The  factors  that  give  a  site  juice  are  in 
some  ways  the  ones  that  SEOs  haven’t  yet  exploited. 

Some  SEOs  argue  that  no  online  feature  exists  that  they 
won’t  be  able  to  game.  What  black-hat  SEO  demonstrates,  they 
say,  is  that  the  search  algorithm  isn’t  magic  at  all.  It’s  just  soft¬ 
ware  that,  once  understood,  is  easily  outwitted  by  humans. 

The  Men  Behind  the  Curtain 

TO  DEAL  WITH  this,  the  SEOs  believe  that  the  search  com¬ 
panies  have  deployed  humans  of  their  own— rooms  full  of 
them— whose  job  is  to  essentially  buttress  the  algorithms’  deci¬ 
sions  with  human  ones.  “They  have  to  keep  this  mystery  algo¬ 
rithm  looking  like  it’s  working  correctly,”  says  Schoemaker.  “So 
they  have  all  these  places  around  the  country  where  they  hire 
humans  to  hand-edit  results”  that  have  been  affected  by  black- 


hat  and  hacking  SEO,  he  says. 

“They  don’t  say  it  openly  but  I’ve  read  enough  from  Matt 
Cutts  and  others  to  know  that  this  algorithm  they  purport  does 
everything  magically,  it’s  all  a  bunch  of  nonsense,”  says  Dave 
Dellanave,  Schoemaker’s  partner.  “The  reality  is  they  have 
probably  thousands  and  thousands  of  filters  that  they  manu¬ 
ally  create.  And  there’s  no  doubt  in  my  mind  that  increasingly 
they’re  using  people,  the  ‘human  signal,’  for  rankings.” 

Critical  SEOs  contend  that  this  is  the  only  way  the  search 
companies  can  protect  their  indexes  from  widespread  abuse  by 
black-hat  and  hacking  SEOs.  “They’re  trying  to  protect  their 
index,”  says  SEO  Michael  Gray,  “because  if  it’s  clean,  people 
want  to  use  it,  and  if  people  want  to  use  it  they  can  sell  adver¬ 
tising.  The  lower  value  the  search  results,  the  less  valuable  to 
users  and  advertisers.” 

Cutts  says  that  the  “vast  major¬ 
ity”  of  ranking  (and  of  reconsidera¬ 
tion  requests  when  a  site  is  delisted) 
is  “algorithmically  done.”  He  also 
contends  that  “Google  is  returning 
more  relevant  search  results  in  the 
last  year  or  two.” 

But  critics  argue  that  “relevant” 
is  in  the  eye  of  the  beholder.  The 
phrase  used  in  the  industry  for  the 
new  direction  of  search  companies 
is  a  focus  on  “trusted  and  authorita¬ 
tive  links.”  But  what  makes  some¬ 
thing  trustworthy  or  authoritative, 
especially  when  the  search  engine 
can’t  intuit  what  a  person  is  looking 
for  to  begin  with? 

Many  SEOs  say  that  “trusted 
and  authoritative”  is  code  for  “big, 

well-known  company.” 

“The  real  direction  of  search,”  says  SEO  Wall,  “is  that  large 
corporations  will  dominate  search  results,  and  they’ll  get 
away  with  more  aggressive  SEO  because  the  search  engines 
can’t  afford  to  look  bad  by  not  having  them  at  the  top  of  results. 
You’re  more  likely  to  get  enforced  against  if  you  use  aggressive 
SEO  if  you’re  smaller,  not  bigger.  Small  companies  will  not  be 
able  to  compete  through  search.” 

Many  of  the  SEOs  compared  this  to  big-box  stores  driv¬ 
ing  locally  owned  independent  stores  out  of  business  in  small 
towns.  Search  results  would  become  dominated  by  large 
brands  that  can  afford  to  keep  themselves  atop  the  rankings 
and  that  the  search  companies  consider  trusted  and  authorita¬ 
tive,  because  they’re  well-known. 

This,  the  SEOs  say,  is  finally  where  black-hat  SEO  is  driving 
general  search,  and  now  hacking  SEO  is  as  well.  It’s  turning 
the  Web  into  a  big  strip  mall.  ■ 


Scott  Berinato  is  former  executive  editor  of  CSO.  Send feedback  to 
Derek  Slater  at  dslater@cxo.com. 


“The  real 
direction  of 
search/*  says 
SEO  Aaron  wall, 


<«s 


will  dominate 


away  with  more 


26  www.csoonline.com  April  2008 


cso 

Perspectives 

Becoming  the  Complete  CSO 

Thank  You  to  our  2008  CSO  Perspectives  Sponsors: 


Underwriter 

•  1 1 1  •  1 1 1  • 
CISCO. 


Platinum 


Pricb/WekhouseQopers  § 

0  protegrity  %?SUTl 


microsystems 


Gold 


Aveksa 


G 


Brabeionw  ^^///Bridges  5S3  R6C0lin6X 

fT  Rak.  &  Compliance  Management 

®Sai(Point  aONESOFT  %  Symantec. 

IDENTITY  RISK  MANAGEMENT  /I  VlUi/VI  I  W  J 


Common 

Compliance 

Framework 


N5C 


Emerging  Solutions 


paymetric 


SECURITY  WEAVER 


CSOI 


Icorporate  events  A  apmo  AveRs'd  >  fishnet 

I  I  IDENTITY  ^  SECURITY 


IPARTNER 


NetVisor  O  pr  oteqrity  ®SailPoint  (  1  § 


BUSINESS  RISK  LEADERSHIP 


RISK  ANALYSIS 


The 

Hidden  Risks 


Lead  paint  in  toys.  Brain-eating  amoeba.  Identity 
theft.  We  know  more  than  ever  about  the  risks  all 
around  us.  Do  we  know  what  too  much  information 
isdoingtous?  by  scott  berinato 


I’D  LIKE  TO  SAY  that  the  writing  that  had  the 
most  profound  effect  on  me  this  year  was  some 
classic  novel  I  picked  up  in  my  spare  time,  but 
in  fact  it  was  an  Associated  Press  article.  Last 
June,  AP  Medical  Writer  Mike  Stobbe  wrote 
a  fascinating,  harrowing  story  about  large  holes  dug 
in  beach  sand  that  can  collapse  “horrifyingly  fast”  and 
cause  a  person  in  the  hole  to  drown.  Stobbe  described 
one  case  when  a  teenager  ran  back  to  catch  a  football, 
fell  in  a  hole  and  disappeared  under  a  cascade  of  sand. 
When  his  friends  approached  to  help,  more  sand  caved 
over  him.  He  was  buried  for  at  least  15  minutes  and 
eventually  suffocated.  Stobbe  discloses  in  the  article 
that,  while  they’re  virtually  unheard  of,  collapsing  sand 


holes  are  actually  more  common  than  “splashier  threats” 
like  shark  attacks. 

Unfortunately,  I  read  the  story  right  before  going 
on  vacation  with  my  family,  to  the  beach.  Sometimes, 
the  story  trespassed  on  my  mind.  I  found  myself  scan¬ 
ning  the  beach  for  holes  left  behind  by  beachgoers  who 
didn’t  know  about  the  monster  that  lived  in  the  sable  but 
unstable  sand.  I  wondered  why  I  would  voluntarily  give 
my  kids  shovels  and  pails— the  very  tools  of  their  demise. 
I’m  actually  worried  about  the  beach— the  beach!— swal¬ 
lowing  up  my  kids. 

And  that’s  not  all  I’m  worried  about.  After  a  summer 
of  sand  terror  and  tracking  mosquitoes  with  Triple-E 
encephalitis  and  dead  birds  with  West  Nile  Virus,  I  fret- 


28  www.csoonline.com  April  2008 


Illustration  by  Brucie  Rosch 


RISK  ANALYSIS 


ted  to  see  a  constant  stream  of  headlines 
like.. .“Brain-eating  amoeba  kills  6  this 
year”;  “Drugmakers  recall  infant  cough/ 
cold  medicine”;  “ConAgra  shuts  down  pot 
pie  plant  because  of  salmonella  concerns”; 
“Listeria  precaution  prompts  recall  of 
chicken  &  pasta  dish.”  Also,  MRSA,  the  so- 
called  superbug  that  resists  antibiotics,  is 
“more  deadly  than  AIDS”  and  a  new  strain 
of  adenovirus  means  that  now  the  common 
cold  can  kill  me.  Also,  my  Christmas  lights 
have  lead  in  them.  Finally,  I  found  Boston, 
corn’s  page  called  “Tainted  Food,  Tainted 
Products,”  where  I  could  track  all  of  the 
products  that  were  potentially  deadly  to 
me,  including  everything  from  mushrooms 
containing  illegal  pesticides  to  lead-bearing 
charity  bracelets.  Charity  bracelets! 

It  feels  like  there’s  more  risk  disclosure 
than  ever  before— an  endless  stream  of 
letters  about  identity  theft,  disclaimers  in 
drug  commercials,  warnings  on  product 
labels,  recalls  and,  of  course,  news  stories. 

Disclosure  is  more  preemptive  than  ever. 

We  know  about  risks  before  they’re  even^  { 
significant.  Many  of  the  state  data  breach™  ™ 
disclosure  laws,  for  example,  mandate 
notification  at  the  mere  possibility  of  your 
private  information  being  compromised. 

Even  more  bizarre  and  stressful,  disclo¬ 
sure  is  becoming  presumptive.  The  cough 
medicine  recall,  for  example,  involved  a 
product  that  a  consumer  advocate  said  was 
safe  when  used  as  directed.  Essentially  the 
disclosures  amounted  to:  Not  following 
directions  is  dangerous. 

Perhaps  the  most  insidious  change  is 
with  the  rare  but  spectacular  risks.  The 
sensational  tales  of  brain  eaters  and  sand 
killers.  Such  stories  have  always  existed, 
of  course,  but  something  is  different  now, 
and  that’s  the  Internet.  Ubiquitous  access 
combined  with  bizarre  potential  publish¬ 
ers  means  the  freakiest  event  can  be  shared 
by  millions  of  people.  Anyone  can  read 
about  it,  blog  about  it,  link  to  it,  forward  it 
in  e-mail,  and  post  it  as  a  Flash  video,  but 
there’s  no  impetus  for  them  to  disclose 
the  risk  responsibly  or  reasonably.  Their 
agenda  may  even  call  for  them  to  twist  the 
truth,  make  the  risk  seem  more  or  less  seri¬ 
ous  than  it  is. 

Here’s  the  paradox  that  rises  from  all 
of  this:  As  an  individual  and  consumer,  I 
like  disclosure.  I  want  every  corporate  and 
civic  entity  I  place  trust  in  to  be  accountable. 


I  want  journalists  and  scientists  to  unearth 
the  risks  I’m  not  being  told  about.  At  the 
same  time,  while  any  one  disclosure  of  a 
threat  may  be  tolerable,  or  even  desirable, 
the  cumulative  effect  of  so  much  disclosure 
is,  frankly,  freaking  me  out. 

So  I  started  to  wonder,  at  what  point 
does  information  become  too  much  infor¬ 
mation?  Is  more  disclosure  better,  or  is 
it  just  making  us  confused  and  anxious? 
Does  it  enable  us  to  make  better  decisions, 
or  does  it  paralyze  us?  What  do  the  constant 
reminders  of  the  ways  we’re  in  danger  do  to 
our  physical  and  mental  health? 

To  answer  these  questions,  I  sought 
out  two  leading  experts  on  risk  perception 
and  communication:  Baruch  FischofF  and 
Paul  Slovic,  both  former  presidents  of  the 
Society  of  Risk  Analysis.  I  told  them  that  I 
wanted  to  better  understand  risk  percep¬ 
tion  and  communication,  the  effect  of  ubiq¬ 
uitous  access  to  risk  information  and  what 
we  could  do  about  this  disclosure  paradox. 


t’s  a  really  difficult  topic,”  says 
Fischoff.  “On  the  one  hand, 
you  want  disclosure  because  it 
affirms  that  someone  is  watch¬ 
ing  out  for  these  things  and 
that  the  system  is  catching  risks.  But  on  the 
other  hand,  there’s  so  much  to  disclose  that 
it’s  easy  to  get  the  sense  the  world  is  out  of 
control.” 

Little  research  exists  on  the  physical 
health  effects  of  any  risk  disclosure,  never 
mind  the  cumulative  effects,  although 
media  saturation  is  being  blamed  for 
increased  anxiety,  stress  and  insomnia- 
gateways  to  obesity,  high  blood  pressure, 
depression  and  other  maladies.  But  the 
mental  health  effects  of  so  much  disclosure 
are  reasonably  well  understood.  Research 
suggests  that  it’s  not  only  unproductive,  but 
possibly  counterproductive. 

To  understand  how,  I  was  sent  to  look 
up  research  from  the  late  1960s,  when 
some  psychologists  put  three  dogs  in  har¬ 
nesses  and  shocked  them.  Dog  A  was  alone 
and  was  given  a  lever  to  escape  the  shocks. 
Dogs  B  and  C  were  yoked  together;  Dog  B 
had  access  to  the  lever,  but  Dog  C  did  not. 
Both  Dog  A  and  Dog  B  learned  to  press  the 
lever  and  escape  the  shocks.  Dog  C  escaped 
with  Dog  B,  but  he  didn’t  really  understand 
why.  To  Dog  C  the  shocks  were  random,  out 
of  his  control.  Afterward,  the  dogs  were 


shocked  again,  but  this  time  they  were 
alone  and  each  was  given  the  lever.  Dog  A 
and  Dog  B  both  escaped  again,  but  Dog  C 
did  not.  In  fact,  Dog  C  curled  up  on  the  floor 
and  whimpered. 

After  that,  the  researchers  tested  the 
idea  with  positive  reinforcement,  using 
babies  in  cribs.  Baby  A  was  given  a  pillow 
that  controlled  a  mobile  above  him.  Baby 
B  was  given  no  such  pillow.  When  both 
babies  were  subsequently  placed  in  cribs 
with  a  pillow  that  controlled  the  mobile, 
Baby  A  happily  triggered  it;  Baby  B  didn’t 
even  try  to  learn  how. 

Psychologists  call  this  behavior  “learned 
helplessness”— convincing  ourselves  that 
we  have  no  control  over  a  situation  even 
when  we  do.  The  experiments  arose  from 
research  on  depression,  and  the  concept 
has  also  been  applied  with  regard  to  torture. 
It  also  applies  to  risk  perception.  Think  of 
the  risks  we  learn  about  every  day  as  little 
shocks.  If  we’re  not  given  levers  that  reli¬ 
ably  let  us  escape  those  shocks  (in  the  form 
of  putting  the  risk  in  perspective  or  giving 
people  information  or  tools  to  offset  the 
risk,  or  in  the  best  case,  a  way  to  simply  opt 
out  of  the  risk),  then  we  become  Dog  C.  We 
learn,  as  Fischoff  said,  that  the  world  is  out 
of  control.  More  specifically,  it  is  out  of  our 
control.  What’s  more,  sociologists  believe 
that  the  learned  helplessness  concept 
transfers  to  social  action.  It  explains  not 
only  how  individuals  react  to  risk,  but  also 
how  groups  do. 

My  favorite  learned  help¬ 
lessness  experiment  is 
this  one:  People  were 
asked  to  perform  a  task 
in  the  presence  of  a  loud 
radio.  For  some,  the  radio  included  a  vol¬ 
ume  knob,  while  for  others  no  volume  knob 
was  available.  Researchers  discovered  that 
the  group  that  could  control  the  volume 
performed  the  task  measurably  better,  even 
if  they  didn’t  turn  the  volume  down.  That  is, 
just  the  idea  that  they  controlled  the  volume 
made  them  less  distracted,  less  helpless  and, 
in  turn,  more  productive. 

Control  is  the  thing,  both  Fischoff  and 
Slovic  say.  It’s  the  countervailing  force  to 
all  of  this  risk  disclosure  and  the  learned 
helplessness  it  fosters. 

We  have  many  ways  of  creating  a  sense 
of  control.  One  is  lying  to  ourselves.  “We’re 


30  www.csoonline.com  April  2008 


pretty  good  at  explaining  risks  away,”  says 
Slovic.  “We  throw  up  illusory  barriers  in 
our  mind.  For  example,  I  live  in  Oregon. 
Suppose  there’s  a  disease  outbreak  in  Brit¬ 
ish  Columbia.  That’s  close  to  me,  but  I  can 
tell  myself,  ‘that’s  not  too  close’  or  ‘that’s 
another  country.’  We  find  ways  to  create 
control,  even  if  it’s  imagined.”  And  the 
more  control— real  and  imagined— that  we 
can  manufacture,  Slovic  says,  the  more  we 
downplay  the  chances  a  risk  will  affect  us. 

Conversely,  when  we  can’t  create  a 
sense  of  control  over  a  risk,  we  exaggerate 
the  chances  that  it’ll  get  us.  For  example, 
in  a  column  (near  the  bottom),  Brookings 
Institution  scholar  Gregg  Easterbrook 
mentions  that  parents  have  been  taking 
kids  off  of  school  buses  and  driving  them 
to  school  instead.  Part  of  this  is  due  to  the 
fact  that  buses  don’t  have  seat  belts,  which 
seems  unsafe.  Also,  bus  accidents  provoke 
sensational,  prurient  interest;  they  make 
the  news  far  more  often  than  car  accidents, 
making  them  seem  more  common  than  they 
are.  Yet,  buses  are  actually  the  safest  form 
of  passenger  transportation  on  the  road.  In 
fact,  children  are  eight  times  more  likely  to 
die  in  a  car  than  they  are  on  a  bus,  accord¬ 
ing  to  research  by  the  National  Highway 
Traffic  Safety  Administration  (NHTSA). 
That  means  parents  put  their  kids  more  at 
risk  by  driving  them  to  school  than  letting 
them  take  the  bus. 

Faced  with  those  statistics,  why  would 
parents  still  willingly  choose  to  drive  their 
kids  to  school?  Because  they’re  stupid? 
Absolutely  not.  It’s  because  they’re  human. 
They  dread  the  idea  of  something  out  of 
their  control,  a  bus  accident.  Meanwhile, 
they  tend  to  think  they  themselves  won’t 
get  in  a  car  accident;  they’re  driving. 

read  is  a  powerful  force.  The 
problem  with  dread  is  that 
it  leads  to  terrible  decision 
making. 

Slovic  says  all  of  this 
results  from  how  our  brains  process  risk, 
which  is  in  two  ways.  The  first  is  intuitive-, 
emotional-  and  experience-based.  Not  only 
do  we  fear  more  what  we  can’t  control,  but 
we  also  fear  more  what  we  can  imagine  or 
what  we  experience.  This  seems  to  be  an 
evolutionary  survival  mechanism.  In  the 
presence  of  uncertainty,  fear  is  a  valuable 
defense.  Our  brains  react  emotionally,  gen¬ 


erate  anxiety  and  tell  us,  “Remember  the 
news  report  that  showed  what  happened 
when  those  other  kids  took  the  bus?  Don’t 
put  your  kids  on  the  bus.” 

The  second  way  we  process  risk  is  ana¬ 
lytical:  We  use  probability  and  statistics  to 
override,  or  at  least  prioritize,  our  dread. 
That  is,  our  brain  plays  devil’s  advocate 
with  its  initial  intuitive  reaction  and  tries 
to  say,  “I  know  it  seems  scary,  but  eight 
times  as  many  people  die  in  cars  as  they  do 
on  buses.  In  fact,  only  one  person  dies  on  a 
bus  for  every  500  million  miles  buses  travel. 
Buses  are  safer  than  cars.” 

Unfortunately  for  us,  that’s  often  not 
the  voice  that  wins.  Intuitive  risk  proces¬ 
sors  can  easily  overwhelm  analytical  ones, 
especially  in  the  presence  of  those  etched-in 
images,  sounds  and  experiences.  Intuition 
is  so  strong,  in  fact,  that  if  you  presented 
someone  who  had  experienced  a  bus  acci- 


THE  DISCLOSURE  SERIES 

See  www2.csoonline 
.com/exclusives/column 
.html?CID=33571  for  the  full 
version  of  this  article,  plus 
more  about  disclosure: 

■  How  to  write  a  breach 
disclosure  letter 

■  A  state-by-state  map 
of  breach  laws 

■  What’s  next  with 
disclosure  legislation 

■  And  more. 


dent  with  factual  risk  analysis  about  the 
relative  safety  of  buses  over  cars,  it’s  highly 
possible  that  he’d  still  choose  to  drive  his 
kids  to  school  because  his  brain  washes 
him  in  those  dreadful  images  and  reminds 
him  that  he  controls  a  car  but  doesn’t  con¬ 
trol  a  bus.  A  car  just  feels  safer.  “We  have 
to  work  real  hard  in  the  presence  of  images 
to  get  the  analytical  part  of  risk  response  to 
work  in  our  brains,”  says  Slovic.  “It’s  not 
easy  at  all.” 

And  we’re  making  it  harder  by  disclos¬ 
ing  more  risks  than  ever  to  more  people 
than  ever.  Not  only  does  all  of  this  disclo¬ 
sure  make  us  feel  helpless,  but  it  also  gives 
us  even  more  of  those  images  and  experi¬ 
ences  that  trigger  the  intuitive  response 


without  analytical  rigor  to  override  the 
fear.  Slovic  points  to  several  recent  cases 
where  reason  has  lost  to  fear:  the  sniper 
who  terrorized  Washington  D.C.,  patho¬ 
genic  threats  like  MRSA  and  brain-eating 
amoeba.  Even  the  widely  publicized  drunk¬ 
driving  death  of  a  baseball  player  last  year 
led  to  decisions  that,  from  a  risk  perspec¬ 
tive,  were  irrational. 

The  best  example  of  the  intuitive 
brain  fostering  bad  decision 
making  is  terrorism,  which 
produces  the  most  existential 
nausea  of  all.  On  a  group  scale,  it 
can  be  argued  that  decisions  following  9/11 
were  poor,  emotional  and  failed  to  address 
the  risks  at  hand.  Not  only  that,  those  deci¬ 
sions  took  necessary  but  limited  resources 
away  from  other  risks  more  likely  to  affect 
us  than  terrorism.  Like  hurricanes. 

The  effect  is  identical  with  individuals. 
Ask  100  people  which  is  a  bigger  danger 
to  them,  getting  five  sunburns  or  getting 
attacked  by  terrorists,  and  many  will  cite 
the  latter. 

That’s  intuitive.  Terrorism  is,  well,  ter¬ 
rifying.  But  it’s  also  exceedingly  rare.  In  an 
excellent  paper,  University  of  Wisconsin 
Professor  Emeritus  Michael  Rothschild 
deigns  to  conjure  the  awful  to  make  an 
important  point.  He  shows  that  if  terror¬ 
ists  were  able  to  hijack  and  destroy  one 
plane  per  week  and  you  also  took  one  trip 
by  plane  per  month  in  that  same  time,  your 
odds  of  being  affected  by  those  terrorist 
attacks  are  still  minuscule,  one  in  135,000. 

Even  if  that  implausible  scenario  played 
out,  you  would  still  be  about  4.5  times  more 
likely  to  die  from  skin  cancer  next  year  (one 
in  30,000)  and  900  times  more  likely  to  get 
skin  cancer  if  you’ve  had  five  sunburns  in 
your  life  (one  in  150). 

But  that  doesn’t  matter.  For  sunburns, 
we  have  all  kinds  of  ways  to  exert  control 
and  make  us  feel  less  helpless:  hats,  SPF 
50  lotions,  perceived  favorable  genetic 
histories  and  self-delusion— “My  sunburn 
isn’t  as  bad  as  that  guy’s.”  We  have  volume 
knobs  for  that  radio. 

For  terrorism,  we  have  no  volume 
knobs.  ■ 


Scott  Berinato  is  former  executive  editor  of 
CSO.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


April  2008  www.csoonline.com  31 


[  undercover] 

By  Anonymous 


How  Not  to  Hire  an  Information 
Security  Officer  Who’s  on  Parole 

After  learning  that  HR  “forgot”  to  do  a  background  check  on  a  security 
staffer  with  a  felony  record,  a  leader  reexamines  his  organization’s  policies 


I  was  having  lunch  last  week  with 
the  senior  executive  for  one  of  the 
large  agencies  in  the  government 
organization  where  I  work,  when  I 
asked  about  the  agency’s  informa¬ 
tion  security  officer.  I’d  heard  that  the  ISO 
had  left  his  job  rather  quietly  and  quickly 
a  few  weeks  earlier,  but  I  hadn’t  been  able 
to  get  a  clear  answer  or  reasonable  expla¬ 
nation  as  to  why.  This  isn’t  as  strange  as  it 
may  sound.  Our  government  organization 
is  very  decentralized,  and  the  agency  ISOs 
don’t  work  directly  for  me.  I  don’t  have 
any  real  authority  over  them  other  than  to 
ensure  they  institute  the  enterprise  security 
policies  within  their  agencies  (but  that’s  a 
whole  different  story). 

The  senior  executive  told  me  that  he’d 
been  meaning  to  bring  me  up  to  speed  on 
the  situation  but  that  it  was  very  compli¬ 
cated,  and  after  the  ISO  left,  he  didn’t  feel  a 
sense  of  urgency  to  close  the  loop.  Because 
the  senior  executive  was  relatively  new  in 
the  position,  he’d  spent  some  time  trying 
to  get  to  the  bottom  of  the  whole  situation 
himself.  My  antennas  were  now  wagging  in 
anticipation. 

Here’s  the  rest  of  the  story.  This 
employee  had  been  quickly  hired  about 
a  year  ago  to  fill  a  critical  vacancy.  The 
agency  was  preparing  for  a  couple  of  fairly 
extensive  federal  audits  and  also  needed  a 
security  manager  to  mitigate  some  critical 
vulnerabilities  from  a  recent  vulnerability 
assessment  and  other  new  enterprise  secu¬ 
rity  requirements  that  I  had  recently  initi¬ 
ated.  This  particular  ISO  quickly  became 
one  of  the  more  proactive  and  effective 
security  officers  in  the  more  than  20  agen¬ 
cies  in  our  government  organization.  In  fact, 
he  was  one  of  the  leaders  whom  I  held  up 
as  an  example  to  others  because  he  took 


the  initiative  to  stay  in  front  of  his  agency’s 
security  problems. 

Then  one  day  about  eight  weeks  ago,  the 
HR  director  from  this  particular  agency  had 
received  a  call  from  a  county  probation  offi¬ 
cer,  who  said  that  one  of  his  probationers 
was  employed  and  had  been  lying  to  him. 
He  was  angry  and  told  the  HR  director  that 
he  suspected  this  person  had  been  lying  to 
the  agency  as  well. 

Guess  who  the  employee  was. 


Oops,  We  “Forgot” 

This  revelation  was  a  bit  of  a  shock  to  both 
the  HR  director  and  the  senior  executive, 
because  they  weren’t  even  aware  that  the 
employee  had  legal  problems— let  alone 
that  he  was  on  probation.  He  was,  after  all, 
just  the  information  security  officer!  After 
some  investigation  and  discussion  with 
the  probation  officer,  they  discovered  that 
after  being  convicted  of  felony  embezzle¬ 


ment,  this  employee  had  been  released 
from  prison  mere  weeks  before  being  hired 
as  a  public  servant  in  this  public  agency. 
OK,  fellow  CSOs  and  CISOs,  can  you  see 
where  this  is  headed?  Are  you  beginning  to 
perspire? 

While  my  first  thought  was,  Are  you 
kidding  me?  my  first  question  to  the  senior 
executive  was,  “Do  you  have  a  policy  for 
conducting  background  investigations, 
and  do  you  follow  it?”  The  answers  were 
“Yes”  and  “Usually.”  In 
the  haste  to  get  some¬ 
one  hired,  a  former  HR 
staffer  had  simply  for¬ 
gotten  the  background 
check  portion  of  the 
hiring  process.  There 
was  obviously  no  check¬ 
list  to  make  sure  that  all 
components  of  the  pro¬ 
cess  were  completed. 

One  of  the  most 
important  things  an 
organization  can  do  dur¬ 
ing  the  hiring  process 
is  to  conduct  a  back¬ 
ground  check.  This  is 
especially  critical  for 
those  in  positions  that 
require  a  high  degree  of 
integrity  and  ethics.  It 
does  all  of  us  a  great  deal  of  harm  to  have 
someone  in  our  midst  who  causes  our  cred¬ 
ibility  to  be  questioned.  I  also  believe  that 
we  should  raise  that  bar  for  employees  who 
hold  a  position  of  trust  or  have  access  to  crit¬ 
ical  systems  and  information— employees 
such  as  information  security  officers.  Back¬ 
ground  checks  won’t  necessarily  eliminate 
fraud  or  ethically  challenged  employees, 
but  the  process  might  lead  us  to  ask  some 


32  www.csoonline.com  April  2008 


Illustration  by  Ryan  Snook 


hard  questions  before  actually  hiring  a  per¬ 
son,  or  at  least  give  us  some  insight  into  his 
or  her  prior  work  or  personal  history. 

Hiring  Horrors 

We’ve  all  heard  the  statistics  that  some¬ 
where  around  50  percent  of  all  informa¬ 
tion  security  incidents  are  caused  by  the 
insider  threat.  These  aren’t  all  malicious  in 
nature,  of  course,  but  a  substantial  number 
of  them  are.  A  number  of  recent  cases  make 
the  hair  on  the  back  of  my  neck  stand  up, 
including: 

■  The  woman  who  thought  she  was 
going  to  be  fired  from  her  job  at  an 
architectural  firm,  so  she  deleted  seven 
years’  worth  of  architectural  blueprints 
and  drawings  estimated  to  be  worth 
$2.5  million. 

■  The  guy  who  planted  a  logic  bomb  on 
the  St.  Cloud  (Minnesota)  Hospital 
computer  system  that  activated  several 
months  after  his  departure,  disabling 
the  program  he  had  created. 

■  The  Georgia  state  agency  worker  who 
was  charged  in  2005  with  computer 
intrusion  and  theft  after  accessing 
Georgia  drivers’  license  files  outside  of 
work  hours  and  without  authorization. 

■  The  former  DuPont  scientist  who  pled 
guilty  to  theft  of  trade  secrets.  After 
discovering  that  the  scientist  was 

the  second  most  active  user  of  the 
company’s  database,  DuPont  found 
that  he  had  accessed  thousands  of 
documents  with  the  intent  of  giving 
them  to  a  competitor. 

Would  a  background  check  have  turned 
up  something  to  make  any  of  the  employ¬ 
ers  question  the  morals  or  ethics  of  these 
employees?  Maybe  or  maybe  not,  but  at 
least  the  companies  could  have  answered 
with  a  straight  face  questions  about  how 
well  they  vetted  the  employees. 

Even  more  troubling  are  the  incidents 
involving  those  in  law  enforcement  who 
are  entrusted  to  protect,  but  instead  violate 
that  trust.  Just  in  the  past  few  months: 

■  A  Virginia  police  sergeant  was  charged 
with  accessing  the  FBI’s  National 
Crime  Information  Center  database  for 
personal  reasons. 

■  Two  Collier  County  (Florida)  Sheriff’s 
Office  employees  were  charged  with 
inappropriately  accessing  the  office’s 
computer  system  to  find  out  informa¬ 


tion  about  other  people. 

■  A  veteran  of  the  Hartford,  Conn., 
police  force  looked  up  information 
from  the  National  Crime  Information 
Center  and  gave  it  to  a  friend. 

Surely  these  trained  law  enforcement 
personnel  knew  this  kind  of  activity  was 
wrong.  These  violations  do  a  significant 
amount  of  damage  to  public  trust.  Although 
background  investigations  obviously  can’t 
deter  or  stop  everything,  they  might  pro¬ 
vide  an  indicator  of  future  behavior. 

The  recent  case  in  January  of  the 
futures  trader  at  the  French  bank  Societe 
Generate— the  one  who  allegedly  bypassed 
established  computer-control  systems  to 
generate  fictitious  financial  transactions 


that  caused  over  $7.2  billion  in  losses  for 
the  bank— is  another  situation  that  might 
have  been  deterred.  That  amount  of  money 
is  going  to  have  a  lot  of  people  asking  a  lot  of 
questions.  A  recurrent  background  check 
may  have  turned  up  some  information  to 
indicate  that  this  guy  was  a  potential  threat 
to  the  organization. 

What  Not  to  Forget 

So  what  does  a  background  check  consist 
of,  and  how  do  you  do  one?  While  back¬ 
ground  checks  were  traditionally  done  by 
the  police,  today  there  are  many  local  and 
national  private  companies  that  offer  back¬ 
ground  check  services.  Like  most  things, 
you  get  what  you  pay  for.  A  simple  online 
background  check  will  provide  quick,  basic 
information,  while  a  more  comprehensive 
investigation  can  cost  hundreds  of  dollars 
and  take  considerably  more  time.  Either 
way,  the  purpose  is  to  give  some  insight  into 
a  person’s  character  based  on  past  actions 
and  records.  Depending  on  the  extent  of 
background  check  desired,  it  can  provide 
information  about  a  person’s  financial, 
criminal  and  even  personal  history,  includ¬ 
ing  bankruptcies,  motor  vehicle  tickets 
and  employment  records.  I  recommend  a 
personnel  security  policy  that  includes,  at  a 


minimum,  the  following  components: 

■  A  requirement  for  all  new  employees, 
including  contractors,  interns  or  other 
temporary  employees,  to  pass  a  basic 
background  check. 

■  A  definition  of  “positions  of  trust” 
that  require  a  higher  level  of  scrutiny 
for  background  checks.  This  might 
include  anyone  who  has  access  to  large 
sums  of  money  or  financial  accounts, 
citizen  or  customer  personal  informa¬ 
tion,  proprietary  information  or  intel¬ 
lectual  property,  and  intelligence-  or 
law-enforcement-related  information. 

■  A  requirement  that  all  new  employees 
working  in  a  position  of  trust,  or  who 
routinely  have  access  to  any  kind  of 


personally  identifiable  information  or 
other  sensitive  information,  complete  a 
comprehensive  background  check  that 
includes  criminal  records,  education 
records,  credit  history,  employment 
records,  driving  records  and  drug  test¬ 
ing  where  applicable. 

■  A  policy  defining  the  specific  criteria 
for  what  would  disqualify  a  poten¬ 
tial  employee  from  working  in  the 
organization. 

■  A  requirement  that  an  “update”  back¬ 
ground  check  be  done  at  least  once 
every  three  years  on  existing  employ¬ 
ees  and  contractors  in  positions  of 
trust. 

■  A  policy  that  establishes  specific 
passing  criteria  as  a  condition  of 
employment. 

The  ancient  Roman  poet  Juvenal  asked, 
“Quis  custodiet  ipsos  custodes?”  which 
translates  to  “Who  watches  the  watchmen?” 
For  those  of  us  responsible  for  protecting 
the  sensitive  and  critical  personal  infor¬ 
mation  of  our  citizens  and  customers,  the 
answer  had  better  be,  “We  do!”  ■ 


This  column  is  written  anonymously  by  a 
real  CSO.  Send  your  comments  via  e-mail  to 
csoundercover@cxo.com. 


Then  one  day,  the  HR  director  received  a  call 
from  a  county  probation  officer,  who 

said  that  one  of  his  probationers  was  employed 
at  the  agency  and  had  been  lying  to  him. 


April  2008  www.csoonliRe.com  33 


[  INDUSTRY  VIEW] 

By  Jeff  Snyder 


The  Better  Background? 

What’s  the  better  experience  base  to  lead  a  converged  organization- 
information  security  or  physical  security?  A  recruiter  gives  his  observations 


When  companies  decide 
to  combine  logical  and 
physical  security,  one  of 
the  first  challenges  they 
face  is  finding  a  leader 
who  has  been  exposed  to  both  information 
security  and  physical  security.  Someone 
has  to  be  put  in  place  to  create  change.  Who 
is  this  person?  What  is  his  skill  set? 

I  speak  with  both  information  security 
and  physical  security  professionals  every 
day,  and  when  the  conversation  turns  to 
who  is  best-equipped  to  lead  a  converged 
security  operation,  I  hear  many  opposing 
opinions.  Usually,  the  opinion  of  the  per¬ 
son  to  whom  I’m  speaking  has  a  lot  to  do 
with  his  or  her  experience.  Whose  point  of 
view  is  correct?  I  don’t  know  for  sure,  but  I 
can  tell  you  about  the  conclusions  reached 
by  three  companies  that  have  recently  con¬ 
tacted  me  for  assistance  in  their  search  for 
a  converged  security  leader. 

Example  is  At  one  global  company,  the 
newly  hired  executive  will  have  responsi¬ 
bility  over  information  security,  physical 
security,  facilities  security,  business  conti¬ 
nuity,  global  supply  chain  security,  brand 
and  reputation  protection,  and  all  the  facets 
of  risk  management  that  could  be  wrapped 
around  the  aforementioned  topics.  Nobody 
I  spoke  with  possessed  expertise  in  every 
topic.  My  client  interviewed  the  top  three 
CSO-tracked  and  top  three  CISO-tracked 
candidates  I  surfaced.  Only  the  top  three 
CISO-tracked  professionals  were  invited 
in  for  face-to-face  interviews.  Each  of  these 
business-sawy  professionals  was  techni¬ 
cally  sound,  had  significant  exposure  to 
physical-security  issues  and  was  an  out¬ 
standing  communicator  and  leader. 

Example  2:  A  90-year-old  global  com¬ 
pany  that  is  used  to  dealing  with  physical 


security  issues  has  recently  experienced  a 
change  in  its  business  model,  causing  the 
business  to  become  more  and  more  digitally 
driven.  The  company  is  creating  a  VP-level 
security  role  and  believes  that  60  percent 
to  70  percent  of  the  new  VP’s  responsi¬ 
bility  will  be  the  protection  of  electronic 
assets,  while  the  remaining  part  of  his 
or  her  job  will  be  a  mix  of  blended  issues 
such  as  access  controls  and  fraud  detec¬ 


tion/prevention,  along  with  many  purely 
physical  issues.  The  search  team  has  con¬ 
cluded  that  the  most  desirable  candidate 
to  address  these  needs  will  come  from 
a  strong  information-security  and  risk- 
management  background  and  will  have 
some  exposure  to  physical  security  issues. 

Example  3:  Folks  from  another  global 
company  recently  discussed  with  me  their 
plans  to  replace  a  retiring  physical-secu¬ 
rity-focused  CSO.  Their  intention  is  to  hire 
someone  with  an  80  percent  information- 
security  skill  set. 

In  their  own  ways,  these  three  com¬ 
panies  came  to  the  same  conclusion.  They 
have  decided  that  50  percent  to  80  percent 
of  the  skill  set  they  need  is  an  information- 


security  skill  set.  They  argue  that  an  infor¬ 
mation-security-skilled  executive  should 
be  able  to  bring  the  right  blend  of  techni¬ 
cal  skills,  business  understanding  and 
executive  leadership  to  meet  the  modern 
challenges  faced  by  their  company.  On  the 
physical  security  front,  they  do  not  expect 
the  executive  they  hire  to  be  an  expert  in  all 
physical  security  topics,  but  they  do  expect 
that  person  to  have  enough  exposure  to  the 
physical  side  to  lead  individuals  on  the  team 
who  do  possess  physical  security  expertise. 

Someone  with  a  stronger  background 
in  corporate  security  certainly  could 
argue  that  he  or  she  could  simply  hire  a 
strong  information- security  subordinate 
to  lead  the  infosec  aspect  of  the  organiza¬ 
tion.  In  my  experience,  that  argument  just 
hasn’t  worked  as  well.  For  whatever  rea¬ 
son,  leaders  with  an  information- security 
background  more  often  seem  to  have  the 
business  savvy  that  makes  upper  man¬ 
agement  confident  in  their  ability  to  break 
down  silos  that  have  built  up  over  time. 

Besides,  a  converged  CSO  role  is  increas¬ 
ingly  a  technical  one.  Electronic  record 
issues,  data  privacy  issues  and  regulatory 
compliance  pressures  are  becoming  more 
and  more  complex.  As  I  listen  to  the  conclu¬ 
sions  my  clients  have  reached  as  they  work 
through  the  process  of  determining  what  a 
converged  security  skill  set  looks  like,  I  hear 
them  place  most  of  the  emphasis  in  their 
description  on  a  deep  and  diverse  technol¬ 
ogy  and  information-security  background. 

The  decision  to  converge  information 
and  physical  security  is  a  bigger  decision 
than  what  meets  the  eye— as  is  the  ability  to 
succeed  in  a  newly  converged  position.  ■ 


Jeff  Snyder  is  president  of  Securityrecruiter 
.com. 


34  www.csoonline.com  April  2008 


SECURITY 


TM 


N  E  WS  LE 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


Subscribe  today! 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


ur  it 


y 


■frai 


4/Vo  ( 


11 Key 


Ar  lV( 


-'oUdn.:y°u 

ble  talert" 

/mm  5^, 


'O  UK 


4/Vo 


ATHo, 


’/Iff 


&»•*» 

,°<!se0t 

us- 


-  sis? 

r  $Sa; 

;w 

«4„f py°r'i*£z?l‘°uda,^_  metssoom 


*5^ ' 
***>>■  °* 


^ , 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 

Security  Smart  is  published  by  CS0,  a  business  unit  of  CXO  Media.  ©  2007  CXO  Media  Inc. 


cso 


BUSINESS  RISK  LEADERSHIP 


[  debriefing] 

The  Journey  to  Risk 


Root  Meaning 


THE  MOST  INTENSE  RUSH  I  feel  when  I  go  hiking  occurs 
just  beyond  halfway  up  to  the  summit,  when  I  know  that  the 
trailhead’s  well  behind  me  and  the  peak’s  a  long  way  off.  When 
I’m  losing  the  safety  nets  of  modern  life— cars,  roads,  medicine, 
hospitals— right  when  I  might  need  them  the  most.  My  brain  tells  me  to 
be  scared.  Go  back.  But  it  also  tells  me  to  be  joyful.  Keep  going.  I  feel  both 
intimidated  and  liberated. 


The  moment’s  duality  is  no 
fluke.  It’s  biological.  The  brain 
processes  uncertainty  in  two 
ways  simultaneously.  First,  it 
creates  fear  with  adrenaline 
and  an  assortment  of  30  other 
hormones.  In  animals,  this  is 
universal  and  necessary  for 
survival.  Second,  it  analyzes 
the  uncertainty.  If  evidence 
suggests  everything  will  prob¬ 
ably  be  OK,  we  can  choose 
fight  over  flight.  This,  in  turn, 
seems  to  trigger  parts  of  the 
brain  associated  with  pleasure, 
which  explains  why  some 
people  like  public  speaking  or 
the  movie  Saw  II.  Or  hiking. 

The  intensity  of  this  rush, 
of  course,  varies  with  the 
moment’s  peril.  What  I  feel 
while  hiking  is  a  mere  trace 
of  what  my  grandfather  felt  at 
the  Battle  of  the  Bulge,  on  the 
precipice  of  frostbite  and  being 
shot  at.  But  the  chemistry  is 
universal.  We  have  all  felt  this 
combination  of  intimidation 
and  liberation,  and  so  has 
everyone  throughout  history. 
Those  feelings  connect  us 
to  the  past  in  palpable  way. 
Mozart  felt  it  when  he  moved 
to  Vienna  at  26  to  compose, 
despite  mediocre  prospects. 
Crew  members  on  Ponce  de 
Leon’s  ship  Santiago  were 
washed  with  the  same  chemi¬ 
cals  as  they  approached  the 


new  world.  When  he  crossed 
the  Rubicon  and  marched 
to  Rome,  Julius  Caesar  must 
have  experienced  this  same 
adrenaline-fueled  mix  of  fear 
and  excitement. 

If  he  were  real,  Odysseus 
may  have  felt  the  most  intense 
rush  of  us  all.  In  Book  12  of 
Homer’s  epic,  Odysseus’  starv¬ 
ing  crew  defied  the  Sun  God 
Helios  Hyperion  by  hunting 
his  immortal  cattle  for  food. 
Helios  calls  on  his  friend  Zeus 
who,  after  toying  with  the  crew 
for  a  week,  smotes  them.  Only 
Odysseus  survives,  but  he’s 
blown  back  to  the  impossible- 
to-navigate  narrows  where  the 
monsters  Scylla  and  Charybdis 
live— the  original  rock  and 
hard  place.  Odysseus  survives 


by  hanging  on  to  the  roots  of 
a  fig  tree  atop  one  of  the  cliffs. 
The  original  cliffhanger. 


It’s  hard  to  imagine  any 
situation  that  would  produce 
a  more  intense  rush  than  what 
Odysseus  would  have  felt.  Per¬ 
haps  that’s  why  the  word  we 
use  to  this  day  to  describe  what 
produces  the  rush  comes  from 
this  scene  in  this  story. 

Odysseus  clung  to  the  fig 
tree’s  roots,  a  word  in  ancient 
Greek  transcribed  as  rhiza  or 
rhizikon.  It  also  came  to  mean 
cliff,  and,  eventually,  it  gained 
the  metaphorical  meaning 
“difficulty  to  avoid  in  the  sea” 
as  the  root  came  to  symbolize 
the  situation  Odysseus  found 
himself  in. 

In  Caesar’s  Rome,  the  word 
became  risicum.  Latin  passed 
the  word  to  Spanish  as  riesgo, 
which  to  crew  members  on 
Santiago  meant  “to  sail  into 
uncharted  waters.”  Latin  also 
led  to  the  Italian  risico,  which 
itself  passed  on  to  middle-high- 
German  at  the  dawn  of  the 
Renaissance  as  rysigo,  but  by 
then  it  had  lost  its  seafaring 
meaning  all  together.  Rysigo 
was  a  word  the  German-speak¬ 
ing  Mozart  could  relate  to. 

It  was  a  business  term  that 
meant  “to  dare,  to  undertake, 
enterprise,  hope  for  economic 
success.” 

The  Greek  word  became 
rhizikon  became  risicum 
became  riesgo  and  risico.  Risico 
became  rysigo.  The  French 
called  it  risque.  Halfway  up  a 
mountain,  in  my  body,  I  can 
actually  feel  risk. 


Scott  Berinato,  with  thanks  to 
RolfSkjong. 


36  www.csoonline.com  April  2008 


Illustration  by  Corbis 


iSK  comes  in  many  rori 

l\Aak.ing  risk.  intelligent  decisions 
to  manoae  security 


Information  security,  privacy  &  data  protection  are  management  issues  with  global  business  implications.  The  associated 
risks  of  doing  business  today  need  to  be  clearly  understood  in  order  to  effectively  manage  your  business  and  protect 
your  organization. 


Managing  information  security  &  privacy  risk  at  the  enterprise  level  enables  companies  to  achieve  more  efficient  and 
effective  security  and  data  protection  processes  and  programs.  Issues  such  as  stakeholder  value,  consumer  confidence, 
brand  and  reputation  protection,  and  legal  and  regulatory  compliance  can  be  addressed.  The  Security  &  Privacy 
professionals  of  Deloitte  &  Touche  LLP  help  you  take  advantage  of  this  dynamic  situation  while  helping  to  manage 
security  risk.  With  the  largest  security  and  risk  practice  in  the  world,  we  can  help. 


As  an  industry  leader  offering  global  security  and  privacy  solutions,  we  are  focused  on 
delivering  excellent  client  service  through  a  network  of  offices  in  nearly  1 50  countries. 


Our  Security  &  Privacy  practice  offers  a  broad  array  of  services  and  solutions 
in  the  following  areas: 

•  Security  Management 

•  Privacy  &  Data  Protection 

•  Identity  and  Access  Management 

•  Application  Integrity 

•  Business  Continuity  Management 

•  Vulnerability  Management 

•  Infrastructure  &  Operations  Management 


Deloitte  is  a  Leader  in  Security  Consulting  with  Solid  Depth  and  Global  Reach.1 

"The  Forrester  Wave™:  Security  Consulting,  Q3  2007”,  September  2007 

Deloitte  is  best  suited  for  combined  security  and  risk  management  solutions." 

"The  Forrester  Wave™:  Security  Consulting,  Q3  2007",  September  2007 


Visit  us  online  at  www.deloitte.com/us/security/CI03 


Deloitte 


Audit  .Tax .  Consulting .  Financial  Advisory 


About  Deloitte 


Deloitte  refers  to  one  or  more  of  Deloitte  Touche  Tohmatsu,  a  Swiss  Verein,  its  member  firms  and  their  respective  subsidiaries  and  affiliates.  As  a  Swiss  Verein 
(association),  neither  Deloitte  Touche  Tohmatsu  nor  any  of  its  member  firms  has  any  liability  for  each  other's  acts  or  omissions.  Each  of  the  member  firms  is  a 
separate  and  independent  legal  entity  operating  under  the  names  "Deloitte",  "Deloitte  &  Touche",  "Deloitte  Touche  Tohmatsu"  or  other  related  names. 
Services  are  provided  by  the  member  firms  or  their  subsidiaries  or  affiliates  and  not  by  the  Deloitte  Touche  Tohmatsu  Verein. 

Deloitte  &  Touche  USA  LLP  is  the  U.S.  member  firm  of  Deloitte  Touche  Tohmatsu.  In  the  United  States,  services  are  provided  by  the  subsidiaries  of  Deloitte  & 
Touche  USA  LLP  (Deloitte  &  Touche  LLP,  Deloitte  Consulting  LLP,  Deloitte  Financial  Advisory  Services  LLP,  Deloitte  Tax  LLP,  and  their  subsidiaries),  and  not  by 

Deloitte  &  Touche  USA  LLP. 

Member  of  Deloitte  Touche  Tohmatsu 

Copyright  ©  2008  Deloitte  Development  LLC.  All  rights  reserved. 


I  am  fearless 


I  protect  a  2  billion  dollar  retail  business 

I  believe  security  should  enable 
business  growth  not  limit  it. 

I  focus  on  what’s  important. 


I  innovate 


I  am  fearless 


When  it  comes  to  security,  most  businesses  understand  what  it  means  to  fail.  But  few  can  imagine 
what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions  can  move  your  business 
forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of  the  Fortune  500. 

Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/kayak  The  Security  Division  of  emc 

Secure  Anytime  Protect  Secure  Manage  Compliance 

Anywhere  Access  Customer  Identities  Enterprise  Data  and  Security  Information 


©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 

All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


. 


■ 


No  More  Issues  of  CSO?  Your  subscription  will 
expire  unless  you  act  soon. 

Renew  now  at: 

http://csoonline.com/renew/r38 


Important:  Complimentary  subscriptions  are  limited. 
Renew  before  4/30/08  to  insure  uninterrupted 
delivery  of  your  FREE  subscription  to  CSO. 


RW3117 


